Can unified governance deliver for the emerging GRC market

Written By:
Content Copyright © 2007 Bloor. All Rights Reserved.

GRC—standing for governance, risk and compliance—is an (inevitable) three-letter acronym referring to an emerging IT sector being driven by the pressure placed on businesses from the huge increase in legislation covering how companies are required to behave.

While there are major tasks in this area, be wary of very large consultancies anxious to work with enterprises on GRC and claiming multi-million dollar open-ended contracts are needed. Try asking them what they are offering to achieve ‘unified GRC’ or unified governance.

Unified governance is, or should be, the end-goal of GRC—the bringing together of all a company’s relevant functions to ensure good governance, with an emphasis on corporate policy implementation achieving all the desired results in every situation. However, even to get your (or my) head round everything involved in this is difficult—and different for each enterprise—so it is an even bigger ask to turn the theory into practice.

A starting point in understanding the approach may be to learn from one of the few specialists with a track record in this field. UK-based Peapod Consulting is a niche consulting practice dedicated to security and compliance; it also sources a number of existing software products that they see as filling the gaps in the process of achieving the unified governance goal.

Security and (legislative) compliance are inextricably linked since, for instance, much of the legislation involves achieving the privacy and protection of company-held information using security techniques. In fact, GRC is many-faceted.

A unified approach involves bringing together the often separate corporate functions of risk and compliance management, security, business continuity (BC) and general business functions—and applying IT to it. To achieve it also involves a considerable internal culture shift. Peapod points out that unified governance has to cut across departments with a single definitive source of information being held—upon which senior business executives and IT and other expert practitioners must work co-operatively in fulfilling their roles. This also involves them all speaking the same business-technology language.

The core solutions ultimately boil down to using IT to assist companies in defining, implementing and monitoring the success of policies that influence parts or all of their operations. Probably, enforcing correct policy implementation in every situation is the biggest enterprise headache. In terms of software, this includes:

  • defining very clearly the business processes and capturing them within workflow systems
  • defining and capturing the policies and, crucially, all the places where they must be applied, ideally helped through some standard policy templates
  • maintaining an up-to-date central repository for all the regulations, legislation and standards (and, when changes occur, ideally to trigger alerts for possible policy changes)—bearing in mind some policies are impacted by multiple standards
  • managing the policies themselves with aids such as control dashboards and analysis tools, along with supporting functions such as audit control and risk assessment—with measurement of the level of compliance being achieved—with any change in any one of these affecting the others (where possible automatically)

This barely scratches the surface of the internal impact of going for unified governance. For a start, an enterprise’s existing IT systems software, stored information and procedures have all to be carefully integrated with the unified governance systems that apply. So embarking on this is not for the faint-hearted.

As of now, Peapod sources several third party software products and adds a little of its own IP; collectively these achieve most of the automation now achievable within unified governance, representing the state of the art. The company also offers standards and policy development training for staff at all levels—an absolute must—and this can include regular on-line testing to assess staff awareness levels.

There is no doubt in my mind that every business beyond the very smallest needs to be looking in the round at GRC / security / standards / policies and their implementation—unified governance—and its potential benefits. Some of the by-products of a proper investigation may anyway pay for themselves in, for instance, reduced risks or operational cost savings from eliminating unnecessary tasks.

With companies struggling—nobody comes close to being fully compliant with every business or legislative requirement—it is unsurprising that GRC represents a rich seam to be exploited. Peapod has demonstrated success with some big-named enterprises and is, I think, on the right track in aiming for the goal of unified governance.

But businesses should be under no illusion. This is a task-and-a-half and needs addressing thoroughly, carefully and a little at a time. Nobody yet has a total answer—but watch the market grow!