Next-level compliance begins with integrated risk management
Collaboration, integration, systemization. It’s easy to pass over words like these, peppered throughout the marketing literature for a vast array of software and services. Not to mention, these words tend to represent a lot of messy work, at least initially. Anyone who has ever been in charge of getting a slew of departments to work together to adopt new processes will get a headache just thinking about it.
But the complex and overlapping challenges of regulatory, technological and business governance are snowballing. It’s clear that traditional, manual approaches to essential obligations like compliance reporting are inefficient at best. In many cases, the lack of interdepartmental collaboration, data integration and process systemization are actually increasing enterprise risk and slowing progress toward strategic objectives.
In his report “Transform Governance, Risk and Compliance to Integrated Risk Management,” Gartner analyst John A. Wheeler highlights a finding from a 2016 survey of risk executives by the Risk and Insurance Management Society: nearly three-quarters of the respondents claimed that forecasting critical risks would be increasingly difficult for the next three years, and the main obstacle is the ongoing lack of “cross-organization collaboration.”
Individual data governance procedures may work well for the departments that designed and customized them, but from a wider enterprise view they hinder data sharing, accountability and visibility. In the era of big data analytics and automated business intelligence, polarization and siloed efforts are a waste of opportunity, not to mention time and resources. Without centralized data management, processes are duplicative and inconsistent, leading to reporting generated from incomplete or outdated data sets.
Miscommunication complicates already burdensome compliance activities as departmental processes overlap or reverse the work of other business units. When boards and executives can’t rely on quality, comprehensive reports and analyses, corporate initiatives and enterprise risk management efforts suffer.
Frameworks and standards such as NIST, HIPAA, PCI DSS, and the ISO 27000 series have increasingly focused their guidance on risk management, especially when it comes to data governance and cyber security. Emerging requirements like GDPR, as well as overarching trends like geopolitics, climate change, globalization, cloud computing, and IoT introduce new risks and governance/compliance challenges.
As the interdependence between third party risk, operational risk, and IT risk increases, leading companies are turning to integrated risk management systems (IRMS) supported by governance, risk management, and compliance (GRC) technology.
Implemented enterprise-wide, these solutions facilitate compliance reporting (and many other essential functions) by centralizing data management and introducing process efficiencies through automation. Processes are integrated and streamlined so they become consistent and repeatable; workflows ensure they are traceable, repeatable and predictable. All communications, assessments and remediation activities are documented and stored centrally so that everyone is on the same page.
Risk profiles are more complete and business decisions are based on data-driven, holistic reporting. Likewise, companies are able to streamline audit preparation and experience a more efficient audit. Critical insights into potential hazards, historical trends, and root causes can be gleaned through advanced analytics.
Most importantly, centralized data governance and reporting reduces enterprise and IT risk. By linking processes and resources together for more thorough and prioritized coverage, GRC solutions make better use of existing IT tools and data streams. Tighter integration between departments, systems and processes helps avoid incidents, and when the inevitable breach occurs, ensures that incident response protocols are well coordinated and expeditious.
The enhanced visibility and responsiveness that results from IRMS/GRC implementation is particularly compelling in light of the work involved in governing personal data and complying with PII/PHI requirements. Across an enterprise or value chain, many departments and third parties will handle sensitive personal data on many different systems, for a wide variety of purposes. However, tracking each use of protected data and collating reports without GRC tools is time-intensive and error-prone.
For instance, an analysis of a recent Veritas survey highlighted the stark disparity between organizations’ perception of GDPR readiness and their actual compliance with specific provisions. Sixty-one percent of the organizations that claimed to be compliant also stated it would be difficult to report a data breach within 72 hours of awareness, which is a key requirement in breaches that put data subjects at risk.
Gartner’s delineation of integrated risk management attributes encompasses strategy, assessment, response, communication and reporting, monitoring and technology. Implementing this approach certainly requires the messy but rewarding work of collaboration, integration and systemization, but comprehensive GRC solutions provide a central grounding point from which to start or mature, and purpose-built tools for establishing connections, assigning workflows, and bringing efficiencies to labor-intensive processes.
Having a comprehensive picture of risk across business units, partners and vendors is good for business. It informs strategic decisions at the highest levels, keeps operations humming along, and protects investments in people, process and technology. Mature, enterprise-wide compliance programs can shape and strengthen quality, culture, security, corporate responsibility, brand reputation and more. In the past, this level of compliance maturity has been attainable only at a steep cost.
With the support of GRC solutions, day-to-day tasks of monitoring, tracking and documenting can be automated, leaving leaders and teams with more time for higher-level activities. Compliance becomes significantly more efficient and meaningful. As part of an integrated risk approach, it builds resilience and allows organizations to increase their risk appetite. Combined, these benefits put companies at an advantage over competitors and create a solid foundation for growth and change.