Enterprise governance, risk and compliance (eGRC) continues to emerge as a top C-Suite priority, yet only 20 percent of organisations have a clearly defined eGRC strategy that pertains to the entire enterprise, and 33 percent admit they have no eGRC strategy at all, finds a study conducted by EMC Corporation and the Ponemon Institute, LLC.
“Taking an enterprise-wide approach to the governance, risk and compliance by managing information and what that means for all elements of the organisation—IT, legal, human resources and all the requisite facets-- is no longer a choice – it’s a strategic imperative,” says Tom Roloff, Chief Operating Officer for EMC Consulting. “It is only through a multi-faceted and integrated view of information sources and requisite policies that organizations can satisfy the growing requirements of corporate boards and regulatory agencies for an integrated, centralized risk and compliance strategy.”
Lack of Collaboration
The study also found that while eGRC responsibilities are rapidly spreading from the IT epicenter out to the operations, finance and legal domains collaboration among and between these critical areas is lagging behind. Only 28% of respondents report that their organisations enjoy frequent collaboration or cooperation among eGRC domains and 12% admit their eGRC functions still operate in silos.
Just how distributed have eGRC activities become? The Ponemon report uncovers that while governance activities are still most likely located in IT, risk management activities are usually managed within the associated domain. Similarly, compliance activities typically reside in their own corporate compliance function while privacy and data protection management is most likely to be located in the legal department. When it comes to ranking the importance of these fundamental eGRC activities, risk management takes first place at 32%, followed by compliance at 27%, governance at 22% and privacy and data protection at 20%.
“Silos are the enemy of an effective eGRC program,” says Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute for Privacy Research. “These departments deal with related information and business processes around policies, business processes and multiple regulations. Unfortunately, they are not talking to each other which results in a great deal of waste and inconsistency. Without collaboration across functions – the business is at risk.”
Privacy Emerges as eGRC Collaboration Flashpoint
Regardless of their industry, all organisations report that managing privacy regulations by geography and in accordance with country or state laws are a driving factor in their organisation’s move to an integrated program that supports IT, Legal, Operations and Finance.
Respondents identified their top two privacy challenges as 1) ensuring data shared with third parties will remain safe and secure and 2) complying with all appropriate regulations.
“Privacy and data protection is a particularly pressing issue,” says Dr. Ponemon. “Today these essential privacy management responsibilities are typically split between the legal and IT functions. While the legal department plays a dominant privacy role overall, IT still holds accountability for implementing controls to address privacy regulations. So you can see why the IT and legal teams need to speak the same language and collaborate like never before to reduce enterprise risks.”
Collaboration at Work
“Policy management, incident response, and compliance monitoring are critical for highly regulated and litigious industries, but frequently organizations outside these industries ignore day-to-day business risks, including using e-mail for communications and employee litigations,” says Jeff Bettencourt, General Manager, Information Governance Solutions, EMC. “Organisations that truly understand the critical dependencies across domains and can align policies, processes, and technologies, gain greater visibility and control to more effectively manage risk across the enterprise. This can be a key competitive advantage.”
Looking ahead, nearly 90% of respondents believe enabling technologies are essential or very important to achieving eGRC objectives. The applications that are most likely to be deployed to facilitate eGRC-related activities include risk assessment (81%), policy management (75%), controls assessment (73%), incident response and management (68%), and compliance monitoring (63%).
MORE ARTICLES ON GOVERNANCE, RISK AND COMPLIANCE