Strategic CIO // IT Strategy
Commentary
6/19/2014
06:00 AM
Susan Nunziata
Susan Nunziata
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Top 10 Governance, Risk, Compliance Tech Spending Priorities

Does your IT strategy encompass all aspects of governance, risk, and compliance?

10 Powerful Facts About Big Data
10 Powerful Facts About Big Data
(Click image for larger view and slideshow.)

The top 10 IT spending priorities for governance, risk, and compliance could serve double duty as a list of the fears that keep IT executives awake at night. Yet most organizations still use 1990s technology to handle their GRC needs, according to a survey released in May by the nonprofit Open Compliance and Ethics Group (registration required).

More than half (53%) of the 237 respondents to the OCEG survey said their organizations use mainly spreadsheets, emails, and documents to handle GRC. The rest use an internally developed GRC application (17%), a single commercial GRC application (24%), or two or more commercial GRC applications (6%).

GRC is practically an industry unto itself. US federal agencies, for example, publish an average of 14.7 final rules and 9.4 proposed rules each workday, according to Osterman Research. Then there are industry-originated compliance programs such as PCI in retail. And every company needs to have quick access to data for e-discovery in the event of a lawsuit.

[If your company hasn't yet faced a software audit, it will. Here's how to prepare. Prepare To Be (Software) Audited.]

The OCEG survey reveals just how scattered GRC duties are across organizations, making it hard for IT to create a tech roadmap that serves all departments. Consider the roles and departments of survey respondents:

  • Risk management: 25%
  • Audit: 22%
  • Corporate compliance/ethics: 21%
  • Other GRC roles: 32%. This category alone includes IT (9%); centralized GRC group/architecture (5%); security (5%); business management/executive (5%); business operations/logistics (2%); finance/accounting (2%); and vendor/supplier management, research, corporate social responsibility, and legal (4%).

Slightly less than half the respondents (46%) said their GRC technology is well utilized, while 51% said it's underutilized, and 3% were unsure. The vast majority (81%) of GRC applications used by survey respondents are either focused on a single department's needs or designed to resolve a specific GRC issue. As such, they're generally not integrated with other GRC applications.

The OCEG offered a choice of 27 categories of GRC technologies and asked respondents to identify their priorities (multiple responses were allowed). The following categories topped the final list.

Table 1: Top 10 GRC Technology Spending Priorities

 GRC category   Percent respondents 
Risk management 33%
Compliance management 30%
Audit management 23%
Automated controls 21%
IT risk and security 21%
Policy and training management 19%
Business continuity 12%
Reporting and disclosure 12%
Third-party management 10%
Fraud and corruption 10%
Source: 2014 OCEG GRC Technology Strategy Survey

GRC technology decisions are made at an enterprise level and span departments, according to 44% of the respondents to the OCEG survey. Another 35% say those decisions span multiple departments but haven't quite reached the enterprise level. For 10% of respondents, GRC technology decision making is left to a single department, while 3% said it's a group decision focused on a specific issue, and 8% were unsure.

Spending on GRC technology will increase this year for the organizations of 64% of the survey respondents, while 22% said their spending will remain flat, and 14% plan to decrease their GRC spending.

So where does IT fit into this picture? The OCEG advises IT leaders to:

  • Find and bring together all the stakeholders in your company involved in GRC.
  • Form a leadership team that can identify all your company's needs based on its GRC objectives and obligations.
  • Examine the common processes that GRC stakeholders must execute, including risk assessment, control design, policy creation and dissemination, training, surveying, hotline/helpline intake, control monitoring, process assessment and audit, and case management.

IT should then work with this group to identify the following GRC needs.

  • Data and information: Who needs to know what and when? How should information be stored, backed up, and secured?
  • Process and transaction: Which specific GRC processes and transactions, such as filing reports and processing complaints, must be facilitated and streamlined? How can the company get rid of inefficient, ineffective, and error-prone manual processes?
  • Control and monitoring: Which preventive and detective controls should be put in place to address risks? Which of these controls should be automated? How can the company automatically monitor those controls? How can the company test those controls and document that the testing was completed?
  • Documentation and systems of record: Every organization needs a system of record for data and other evidence that demonstrates that it's doing the right thing, especially in the area of compliance.

The OCEG advises organizations to then take an inventory of the people, processes, and technology currently in place, as well as the vendors being used, and identify GRC needs that aren't being met.

    Then, IT and [other GRC stakeholders] can work together to enhance the enterprise architecture to address these needs. These changes could include using existing technology differently to turn available data into GRC-ready information, as well as building or buying new GRC-specific components, such as risk and control-mapping software.

How does your IT organization handle (or avoid) GRC management challenges? How involved are you in making GRC technology decisions for your company? Which, if any, of the steps outlined above is your company already taking? What other advice do you have for IT pros dealing with GRC? Tell us all about it in the comment section below.

IT leaders who don't embrace public cloud concepts will find their business partners looking elsewhere for computing capabilities. Get the new Frictionless IT issue of InformationWeek Tech Digest today (free registration required).

Susan Nunziata works closely with the site's content team and contributors to guide topics, direct strategies, and pursue new ideas, all in the interest of sharing practicable insights with our community. Nunziata was most recently Director of Editorial for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/28/2014 | 4:00:33 PM
Thanks for taking up on my Suggestions!
Dear SusanN,

Thank you so much for taking up on my suggestion(To release an article on this Issue).

Really,really appreciate it and must say you have done a fine job!

It never ceases to amaze me how few Organizations do GRC effectively(if at all today).

Most just simply bolt some Modules onto their ERP system and think the Job is done.

Unfortunately,the real changes needed(at the Employee Level) almost never happen.

Regards

Ashish.

 

 
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/28/2014 | 3:55:29 PM
Re: Those Pesky Stakeholders
Curt,

As someone who has dealt with precisely this situation previously,I have to say you have hit right in the head.

None of this stuff is easy to handle/wrap your hands around initially.

However,That does'nt mean one should ignore it entirely because that will be a sure-fire recipe for not just Chaos but also a total mess in the company at hand.

Regards

Ashish.
Ashu001
50%
50%
Ashu001,
User Rank: Ninja
6/28/2014 | 3:49:19 PM
Re: The role of the CIO
sferguson,

What typically tends to happen is that Compliance falls outside the Typical ambit of C-Level Execs.

The Department typically reports directly to the Board(or in rare cases to the CFO).

Compliance usually has all these complementary functions rolled into one Independent Unit for greater effectiveness.

The Key here is GRC-Governance,Risk and Compliance.

You have to put all that together in the name of Fraud Prevention(among other closely related functions).

Regards

Ashish.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
6/25/2014 | 3:47:10 PM
Re: Those Pesky Stakeholders
@Curt: Ah, yes, in an ideal world...

I"m sure you've nailed exactly why the CIO probably keeps his or her distance when it comes to helping make technology decisions that can improve GRC management in an organization. Thing is, GRC really extends to every corner of the organization, and at the moment most organizations handle it on a dept. by dept. basis. The CIO does have a role to play in helping to shape a more strategic, holistic approach, and would probably do well to start by convincing the CEO that this is needed, rather than trying to work the problem from the ground up.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
6/25/2014 | 3:44:20 PM
Re: The role of the CIO
@Scott: Figuring out where the CIO fits in is exactly the challenge here. As the survey results show, only 9% of respondents were CIOs, yet we're talking about technology decisions that could dramatically improve a company's GRC position. While the CIO alone cannot make these decisions, the CIO can and should, in my opinon, take a moer active role in helping guide GRC purchasing decisions and help figure out better ways to manage GRC needs. Letting GRC stakeholders rely on spreadsheets and word documents is downright dangerous and could be extremely costly for an organization.
sferguson10001
50%
50%
sferguson10001,
User Rank: Moderator
6/20/2014 | 11:08:03 AM
The role of the CIO
Susan: I read your article but I didn't see where someone like the CIO fits in? Should an issue like compliance be the responsibility of the CIO, is that the best use of his or her time? How much of the legal department should be involved? Or do you need a team of tech, legal, and other major stake holders to get this to work? Should you hire a consultant instead who has expertise in this field?
Curt Franklin
50%
50%
Curt Franklin,
User Rank: Strategist
6/20/2014 | 10:53:37 AM
Those Pesky Stakeholders
It seems to me that the hardest part of the suggested practice is figuring out precisely who "all the stakeholders" are. In an organization of any size, about the time you have your third meeting someone's going to pop up and say, "Wait -- I play a vital role in this process and what you're doing is all wrong!" I have to believe that some sort of formal notification and comment process should be internally published: If a stakeholder ignores the announcements about the process and doesn't deliver comments during the proper period, then they get to adapt what they're doing to the new process, regardless of their caterwauling.

Yeah, no politics wrapped up in that, at all.
Transformative CIOs Organize for Success
Transformative CIOs Organize for Success
Trying to meet today’s business technology needs with yesterday’s IT organizational structure is like driving a Model T at the Indy 500. Time for a reset.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government Tech Digest Oct. 27, 2014
To meet obligations -- and avoid accusations of cover-up and incompetence -- federal agencies must get serious about digitizing records.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.