Analyst Coverage: David Norfolk
Good business is about taking (effectively managed) risks. Governance is about recognising, managing and exploiting risk and is an essential component of good business. GRC (Governance, Risk & Compliance), is a subset of Governance around using tools to help an organisation implement governance.
The issue today is that customer opinion (as expressed, for example, in the Twittersphere), brand management and increased regulation can make taking risks increasingly uncomfortable. GRC in pactice should be all about managing risk and achieving ‘just enough’ governance and compliance for all involved to be comfortable with what they’re doing; and confident that there won’t be any nasty surprises from auditors and regulators:
- Governance is about doing things right—getting value for money from investment in technology and automation, without waste; by using, e.g., policy management, systems engineering and project portfolio management.
- Risk is about identifying and managing the risks/threats that could affect service delivery by using, e.g., network and data security.
- Compliance is about doing the right things sufficiently well to keep the regulators and courts happy, by using, e.g. security analytics
Governance is a hierarchy of concerns. Overall organisational governance (supported by industry initiatives such as TQM and Six Sigma) is the result of well-governed, more specific, processes (using accepted standard frameworks such as COBIT and ITIL) acting on and producing good quality data. This means that data modelling and enterprise architecture modelling, with a management-friendly interface to the models, is an important enabler for good governance—see here. This is stuff that you may be doing already, even if you aren’t using dedicated GRC tools.
Governance affects most aspects of the automated business;Bloor itself specifically concentrates on:
- IT governance, which is about knowing that your technology is being used properly, for things that support your strategic policies;
- Process governance, which is about knowing that people are following appropriate “best practices” all the time, without micromanaging what they’re doing;
- Data governance, which is about knowing that the data you rely on when making decisions is the right data, appropriately up-to-date, and as correct as it needs to be.
If you are any sort of a manager you should care about Governance or GRC because you are expected to be in control of your business, insofar as you are responsible for managing your part of it. If you are a C-level manager, you should care more, because you are responsible for the organisation’s implementation of GRC as a whole, as part of its Corporate Governance; and you may be personally subject to regulatory penalties (or your company may be put out of business) if you are unable to show ‘good governance’ in the context of any applicable regulations. At the same time, your shareholders or investors will expect you to manage risk better than your competition and deliver business success, as well as controlling theft and fraud, and GRC tools can help you to implement the governance to do this.
Various scandals and financial crises have made governments nervous and risk-averse, resulting in burdensome compliance demands (such as Sarbanes-Oxley (SOX) and Solvency II), with draconian penalties for non-compliance—board directors can go to gaol over non-compliance. This means that management can become so risk-averse that business suffers—itself a business risk.
‘Just enough’ governance lets you overcome this and get things done in business with less waste and ‘no surprises’; and, of course, a well-governed company is more attractive to investors and potential business partners. In the technology space specifically, when “the business runs on software”, as many do now, IT governance isn’t just a matter for the IT group to worry about. However, governance generally is a big, wide-ranging topic and it is important to prioritise the issues. You don’t want potential governance issues to distract you from more immediately important GRC issues (with the emphasis on compliance issues that can stop you doing business).
Managing GRC (seen just as using tools to tick compliance boxes) as a tax on the business (“do as little as possible to pass the audit and then forget about it until next time”) is a mistake. It’s better to see it as an enabler of better practice:
- Governance includes efficiency and effectiveness—using the organisation’s technology in pursuit of business outcomes without waste. Avoidance of waste benefits the bottom line.
- Risk management means that an organisation can identify, quantify and deal with its risk; so it can take more risks and go after new business that its competition is afraid to deal with
- Compliance is then an economical and maintainable by-product of governance and risk management and can be used in marketing the organisation—as evidence that the organisation is a good one to do business with.
Resources such as the IT Governance Institute (ITGI), ISACA (COBIT is ISACA’s globally accepted IT governance framework) and the ISO 38500 standard for corporate governance of information technology can help you implement a governance framework without reinventing the wheel.
The most obvious sign of good governance, although this must not be purely superficial, is perhaps the availability of management-level dashboards giving appropriate visibility into technology processes, so that management can see that its strategies are being followed and that the ‘machine under the business’ is working well. You don’t need to know how the engine in your BMW works in order to know that it is functioning properly (no red lights on the dashboard console is a good indicator), and that it’s getting you from A to B while meeting the appropriate safety regulations and legal speed limits—you should manage the technology your business runs on in a similar way. The benefits of good governance can be, and should be, measured on the bottom line, otherwise investment in governance is a waste of resources.
Governance-specific tools from the vendors below are available to help with documentary compliance; the building of models which demonstrate your understanding and control of the organisation’s data and processes; formal risk management; secure transmission of regulated information; the maintenance of audit trails; and so on
Most IT tools, however, have a part to play in supporting governance; and, in particular, tools associated with: