“By working together more closely than in the past, compliance, audit and IT professionals have built relationships and developed a sense for the dependencies and impact of IT on the business,” said Gracyalny. “As these groups have begun to collaborate, create a shared vision and integrate their efforts and budgets a natural tendency towards convergence has emerged.”
One benefit of convergence is that the GRC groups can share best practices, leadership and their time and talent with the IT organization. This may result in improved access to management (board, audit committee) and a more concise framing of IT issues and their impact on the business. By the same token, the business can gain readier access to IT information, which can help the business scope their GRC programs, avoid duplicate efforts and target areas of risk that may not be part of the IT governance plan. This results in a more holistic coverage of the overall IT risk to the organization. It also positions the business to have better dialogue with IT on the risk of non-compliance and related impact to the business.
“The business will also be the beneficiary of IT’s approach, which likely includes automation, standardization, and the turning of large volumes of data into meaningful management information,” said Gracyalny.
Technology serves as the backbone of an effective GRC architecture. It provides timely access to consistent, accurate and reliable information as well as the capability for appropriate intelligent reporting to facilitate executive decision-making. And firms like Protiviti and BTM Corporation are now offering software to assist in uniting the various aspects of GRC operations.
“GRC is a combination of management in multiple dimensions and at the same time process in terms of tying things together to cover all three functional areas,” said Gunnar Erickson, a practice director at BTM. “The realization is to treat GRC not just as areas for the IT function, but more as a strategic concept for executives.”
Risky Business
Risk, it seems, is playing a large part in turning the minds of C-level executives towards umbrella concepts such as GRC. The risk profile changes as new technologies, processes and partners are introduced. For example, when a company starts using social networking applications for marketing or when it starts using desktop virtualization or Cloud services, it introduces a new risk vector. Similarly, when regulations change or are introduced, risk has to be reevaluated.
“Every time a company introduces a process, application, product or a partner, the interaction creates a ton of data,” said Tero. “This data must be evaluated for its GRC profile and protocols have to be adapted accordingly.”
And this factor of risk has been brought more sharply into focus in recent times … “The financial crisis we are working through currently proves beyond a shadow of doubt that risk management is vital as part of strategy execution,” said Erickson.