5 min read

Top 10 Governance, Risk, Compliance Tech Spending Priorities

Does your IT strategy encompass all aspects of governance, risk, and compliance?
10 Powerful Facts About Big Data
10 Powerful Facts About Big Data
(Click image for larger view and slideshow.)

The top 10 IT spending priorities for governance, risk, and compliance could serve double duty as a list of the fears that keep IT executives awake at night. Yet most organizations still use 1990s technology to handle their GRC needs, according to a survey released in May by the nonprofit Open Compliance and Ethics Group (registration required).

More than half (53%) of the 237 respondents to the OCEG survey said their organizations use mainly spreadsheets, emails, and documents to handle GRC. The rest use an internally developed GRC application (17%), a single commercial GRC application (24%), or two or more commercial GRC applications (6%).

GRC is practically an industry unto itself. US federal agencies, for example, publish an average of 14.7 final rules and 9.4 proposed rules each workday, according to Osterman Research. Then there are industry-originated compliance programs such as PCI in retail. And every company needs to have quick access to data for e-discovery in the event of a lawsuit.

[If your company hasn't yet faced a software audit, it will. Here's how to prepare. Prepare To Be (Software) Audited.]

The OCEG survey reveals just how scattered GRC duties are across organizations, making it hard for IT to create a tech roadmap that serves all departments. Consider the roles and departments of survey respondents:

  • Risk management: 25%
  • Audit: 22%
  • Corporate compliance/ethics: 21%
  • Other GRC roles: 32%. This category alone includes IT (9%); centralized GRC group/architecture (5%); security (5%); business management/executive (5%); business operations/logistics (2%); finance/accounting (2%); and vendor/supplier management, research, corporate social responsibility, and legal (4%).

Slightly less than half the respondents (46%) said their GRC technology is well utilized, while 51% said it's underutilized, and 3% were unsure. The vast majority (81%) of GRC applications used by survey respondents are either focused on a single department's needs or designed to resolve a specific GRC issue. As such, they're generally not integrated with other GRC applications.

The OCEG offered a choice of 27 categories of GRC technologies and asked respondents to identify their priorities (multiple responses were allowed). The following categories topped the final list.

{Table 1}

GRC technology decisions are made at an enterprise level and span departments, according to 44% of the respondents to the OCEG survey. Another 35% say those decisions span multiple departments but haven't quite reached the enterprise level. For 10% of respondents, GRC technology decision making is left to a single department, while 3% said it's a group decision focused on a specific issue, and 8% were unsure.

Spending on GRC technology will increase this year for the organizations of 64% of the survey respondents, while 22% said their spending will remain flat, and 14% plan to decrease their GRC spending.

So where does IT fit into this picture? The OCEG advises IT leaders to:

  • Find and bring together all the stakeholders in your company involved in GRC.
  • Form a leadership team that can identify all your company's needs based on its GRC objectives and obligations.
  • Examine the common processes that GRC stakeholders must execute, including risk assessment, control design, policy creation and dissemination, training, surveying, hotline/helpline intake, control monitoring, process assessment and audit, and case management.

IT should then work with this group to identify the following GRC needs.

  • Data and information: Who needs to know what and when? How should information be stored, backed up, and secured?
  • Process and transaction: Which specific GRC processes and transactions, such as filing reports and processing complaints, must be facilitated and streamlined? How can the company get rid of inefficient, ineffective, and error-prone manual processes?
  • Control and monitoring: Which preventive and detective controls should be put in place to address risks? Which of these controls should be automated? How can the company automatically monitor those controls? How can the company test those controls and document that the testing was completed?
  • Documentation and systems of record: Every organization needs a system of record for data and other evidence that demonstrates that it's doing the right thing, especially in the area of compliance.

The OCEG advises organizations to then take an inventory of the people, processes, and technology currently in place, as well as the vendors being used, and identify GRC needs that aren't being met.

    Then, IT and [other GRC stakeholders] can work together to enhance the enterprise architecture to address these needs. These changes could include using existing technology differently to turn available data into GRC-ready information, as well as building or buying new GRC-specific components, such as risk and control-mapping software.

How does your IT organization handle (or avoid) GRC management challenges? How involved are you in making GRC technology decisions for your company? Which, if any, of the steps outlined above is your company already taking? What other advice do you have for IT pros dealing with GRC? Tell us all about it in the comment section below.

IT leaders who don't embrace public cloud concepts will find their business partners looking elsewhere for computing capabilities. Get the new Frictionless IT issue of InformationWeek Tech Digest today (free registration required).