 |
 |
 |
| ARTICLES | February 2008 |
Transforming compliance into effective risk management
Over the past decade, the proportion of corporate spend on compliance activity has soared. But to what end? In the majority of cases, these box ticking exercises are making little contribution to an organisation’s understanding of risk exposure.
BUSINESSES are increasingly recognising the futility of addressing compliance requirements in isolation. However, most companies are still failing to create an integrated approach to the disciplines of governance, risk and compliance (GRC) and have no complete view of organisational risk.
In fact, any organisation that can today address even the 25 most critical business processes and associated assets, and identify the financial, operational and legislative implications associated with compromise in one of these areas, will be in a better position than 95 per cent of UK companies.
Instead, piecemeal policies for addressing each regulation or requirement in turn are resulting in duplication, confusion and excessive use of skilled resources. This approach is creating a compliance burden that is in danger of undermining profitability and constraining critical innovation and development.
In reality, few organisations ever achieve their compliance goals. Many have adopted a head-in-the-sand attitude, believing—or hoping—that business continuity and compliance processes are in place. The reality is that only a small minority have the real information required to justify such assumptions. The much-vaunted, board-level compliance reports are inevitably based on guesswork and this subjectivity leaves organisations exposed to rapidly-increasing business risk.
Corporate delusion
Furthermore, each new compliance requirement—such as the new security standards imposed on high tier merchants by Visa and MasterCard—demands another multi-million pound investment, even by companies that have made extensive investments in security infrastructure.
Yet these organisations will—or should have—captured extensive business continuity, compliance and asset information over the past few years in response to extensive regulatory change. Indeed, vast amounts of information is, theoretically, being collected to support diverse security standards, from ISO 17799 to Sarbanes Oxley, COSO and the COBIT IT governance framework.
It should, therefore, be a straightforward process to use that information to demonstrate compliance to any new standard. Unfortunately, by gathering the information in support of piecemeal policies and often on multiple, distinct spreadsheets, there is no opportunity to create a consolidated view to deliver corporate value or demonstrate compliance to the new rules.
Poor information
Organisations increasingly recognise the overlap between these standards and are looking to create some form of consistency with an all-encompassing set of security policies and procedures—often referred to as convergence. Yet the creation of these tailored processes alone can take years, as one of the UK’s leading financial institutions has discovered having spent two years to achieve little more than the re-definition of its own standards based upon global best practice.
Simply creating the standards does not bring any organisation closer to achieving more effective compliance or improving risk management. Without a consolidated approach for information collection and analysis, it will be impossible to support any new standards without extensive additional investment.
Take the insurance company that has spent over a year developing spreadsheets to collect basic compliance data from over 30 group member companies. The resultant information will be valueless because it will lack the level of detail required to support a breadth of compliance requirements or contribute towards an overall view of business risk exposure.
Single tool
If organisations are to achieve the goal of consolidated governance, risk and compliance (GRC) activity they need to put in place a single tool for collating and analysing critical information across the entire business. This means a single source of information to support the disciplines of asset management, business process analysis, business impact analysis, business continuity, incident management and document management.
Using a simple web-based tool, information can be input via the corporate intranet to support a range of pre-defined processes tied in with the key operational compliance requirements—from ISO 17799 onwards. By capturing the asset and compliance information centrally, organisations can transform the speed with which new regulatory demands can be met.
Active risk management
This information not only streamlines compliance activity but, critically, can be used to provide management with a real-time view of the company’s risk status. For example, in the event of a security incident, the single information view provides immediate insight into affected assets, business processes at risk and attendant financial exposure. It also identifies the defective or compromised security controls that caused the incident and, critically, provides immediate insight into potential breaches in regulatory compliance.
Furthermore, the use of email and/or text alerts can ensure management across the organisation respond rapidly to potentially compromising incidents—such as cases of racial abuse, theft or damage to company assets. The information can be used to assess trends in incidents, enabling proactive introduction of new strategies—such as staff training—to mitigate the business risk.
By distributing compliance processes across an organisation and distilling the information into a simple dashboard view, management suddenly evolve from a guesswork based approach to operational compliance to a real-time understanding of risk exposure.
Business value
Over the past decade, standards bodies have invested heavily in creating important standards for risk management and compliance designed to minimise corporate risk. Yet in too many cases organisations simply cannot implement these standards due to a lack of accurate, up-to-date information.
Business-wide strategy
There is growing recognition that, with little or no co-operation between those tasked with governance, risk and compliance (GRC), organisations are missing a huge opportunity to leverage commonality and drive down the cost of achieving compliance. However, the real value can only be derived by providing an effective framework for collecting information and then utilising that information to support proactive risk management for the entire global operation.
Taking this approach, organisations can evolve beyond box-ticking compliance activity delivered by a dispersed set of security professionals. Instead, by creating a business-wide risk management strategy that provides real-time understanding of the financial, operational and legislative implications of security incidents, UK boardrooms can finally prove that they organisations can deliver tangible value.
The author Stephen Hall is Managing Director at Information Governance (InfoGov) where he is responsible for managing the existing client base, the co-ordination of all commercial activities and the development of InfoGov’s flagship Proteus Enterprise™ software—which provides companies with a fully-integrated, scaleable web-based information security, risk management and compliance solution that can be tailored to any internal or international standard.
