Getting To Grips With GRC
By Arabian Computer News
As a developing market, the Middle East in general has not been at the forefront of putting in place standards and regulations to govern organisational management and practices. With many companies still even recently reliant on paper-based processes, the concepts of governance, risk and compliance reporting and monitoring have not been within the scope of any apart from the largest organisations.
As an example, in May 2012 Oracle and Accenture did a survey of companies in the UAE with regard to their ability to close, file and report their financial results accurately and on time. Due to inadequate reporting systems, the majority of businesses reported that they still face significant problems with financial reporting. Ninety-two percent of respondents admitted that they have inadequate visibility of reporting processes as compared with 68% globally, while 80% of finance managers reported that they find it difficult to control the quality of financial data across the course of their reporting, highlighting that additional attention should be paid to performance management.
However, due to several factors, the situation is now changing. More and more companies across various sectors are finding that they are obliged to ensure that practices are governed by set standards, rules and policies, and that IT, as the gatekeeper of corporate data, is required to lead the way in being able to track compliance with those standards, provide proof of adherence to regulations, and sound the alarm if behaviour strays from the set path.
The discipline known as Governance Risk and Compliance (GRC) encompasses a range of different areas but generally applies to policies including corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations. There is considerable overlap between these functions, and while the discipline generally has to encompass the activities of the organisation as a whole, it is the IT department, legal, and risk management functions that are tending to be given responsibility for management and enforcement of GRC and related policies. From a purely IT perspective, GRC impacts in two areas – namely does the organisation’s information technology systems and practices comply with any relevant regulations; and how can IT help track processes across the wider enterprise, to ensure compliance.
There are a number of factors driving adoption of GRC standards and solutions across different verticals. According to Megha Kumar, Research Manager – Software, IDC Middle East and Africa, the finance sector has been a leader in GRC, due to the sensitive nature of its processes, and the international nature of the business and the range of global regulations in place. Telecoms is similarly governed by international ITU regulations.
More generally, she says standards such as ISO gaining ground in sectors like manufacturing and retail.
“A lot of companies want to go with an ISO kind of certification, just so that it puts forward a level of trust, you will see anyone from retailers, to manufacturers to distributors say that they are ISO certified, to show that they have proper processes in place and that they follow international standards. It creates a lot of credibility for them in the market and with customers,” she explains.
Dr Tamer Aboualy, CTO IBM Security Services, Middle East and Africa, noted that governments and government organisations are also leading increased attention to GRC issues, in part driven by a desire to apply to higher standards to operations, and in part as a a reaction to security incidents. Local standards for IT security, such as those defined by ADSIC in Abu Dhabi, ISR in Dubai are emerging as a result.
“Governments are now examining their GRC programs, they have also started to understand risk and quickly work towards mitigation,” he says. “Governments are also realising the importance of measuring how industry is managing risk, for example the loss of a sector such as oil & gas, water, or financial services; would negatively impact a countries overall ability to function. It is apparent that a greater engagement and guidance to various verticals should be perused.”
In terms of tackling the requirements of GRC, the IT departments role tends to be establishing systems that will monitor processes, alert if activity moves outside of accepted parameters, and carry out discovery/retrieval of stored data to prove compliance or investigate any infractions.
There are a number of vendors that are offering solutions to handle these tasks, both large enterprise IT vendors, and smaller niche players.
Simon Claridge, managing director of Modulo EMEA, which has been offering risk management solutions for 20 years, says the company is seeing “phenomenal” growth in demand for its solutions, particularly in verticals such as banking, oil & gas and transportation. Modulo’s Risk Manager solution has been designed as an out-of-the-box GRC solution, to identify, analyse, evaluate and treat risks across the enterprise. Claridge says that its solutions automates key processes related to GRC, and also uses pre-scripted knowledge bases that mean customers can see value delivered within days of implementation.
For larger vendors such as SAP and Oracle, GRC solutions are increasingly becoming integrated with wider enterprise applications, where processes are already automated, and can therefore be monitored under GRC parameters more easily – Paul Devlin, Head of Business Analytics, SAP MENA, says that solutions can be in place in as little as 90 days.
Ease of deployment does not mean that GRC solutions are a straightforward proposition however. There are many factors from the organisational and management side that need to be aligned for successful GRC adoption.
Devlin adds: “Companies need to be clear about what they want to achieve from a GRC solution and its impact across their business. They should work closely with their internal and external auditors and technology partner to define project successes and milestones. Developing in an agile, phased approach with significant business involvement will typically deliver the most benefits. It is best not to drive GRC purely as an IT project. It needs business input.”
Companies also need to be clear on what standards they are trying to apply to, especially if they are aiming for compliance with multiple standards across different disciplines. There are other considerations of GRC strategy as well.
Dr Angelika Plate, director of Strategic Security Consulting at help AG, says that organisations need management buy-in on GRC projects, and their belief in the benefits: “The main prerequisite for a successful implementation of governance in an organisation is top management awareness and willingness to support the project. If this support is given, implementation of governance in an organisation can be achieved, and how easy or difficult it is dependent on how the organisation operates. If the organisation adopts good management principles, has well identified processes and good information flow from top management down to the operational level and vice versa, implementation will be easy. If this is not the case, or if the governance thoughts are only applied to parts of the organisation, it will be more difficult to achieve.”
Simply putting a system into place is also not sufficient to remain compliant. Continuous monitoring of processes and feedback on the same are also important. Tools to monitor compliance and give management insight into compliance status are also necessary. Plate comments: “Tools are an important aspect in achieving governance by monitoring compliance on the operational level. For successful implementations of governance, the strategic element and compliance tools need to work together.”
Nicky Sheridan, senior vice president of Software AG for Middle East, Africa and Turkey, says that systems also need to be flexible, to react to changing conditions.
“A properly defined GRC architecture is built upon common process, information and technology components that are adaptive to a dynamic business environment and integrate with critical enterprise applications. Risk and compliance is no longer limited to annual audits; it now involves continuous monitoring in an ever-changing environment. To be successful, GRC has to be sustainable as an ongoing and integrated part of business processes. By designing and deploying an integrated, process-driven GRC architecture, you will have the ability to constantly adapt to changing market conditions and regulations.”
There are some obstacles to implementing GRC solutions in the region. Skills and experienced staff to implement are in short supply, and the risk manager role is also not present in many organisations, creating questions of ownership and ongoing custody of risk solutions may be unclear.
Kumar says that given the scale of GRC, and the relative lack of maturity of some companies in the region, they should also consider if they really need to go for a major GRC project at all.
“I think the biggest challenge that comes with implementing GRC is that a lot of your business processes are going to get streamlined. It creates a lot of challenges for organisations that have not previously had streamlined functionalities; everything gets scrutinized, everything has to follow a certain system, everything has to meet the requirements set out by the organisation or the compliance monitoring agency,” she says.’
“Compliance deployment is not an easy job at any level, not for a large organisation, it is not for a smaller one,” she says. “[Organisations] should have in mind that they are going to have to engage in a massive change in how their business processes are done. They have to look at what are the costs they would incur if they are not compliant – if it is worth overlooking altogether.”
Even though companies may not have a choice in GRC issues, it should still be regarded as a positive benefit to the organization. Sheridan highlights wider benefits to the organisation through good compliance, such as reduced redundancy and improved efficiencies by rationalising the information architecture, better information on risk and better decision making based on this insight, improved operational performance through enhancing key processes, and better financial management.
Swami Natarajan, senior director, Fusion Apps & SaaS Leader, East & Central Europe, Russia & CIS, Middle East & Africa, Oracle points out the financial benefits of better processes. In one instance a global Fortune 100 hired a consultancy to look at one process-paying supplier. Over a two-year period they found errors amounting to $17 million.
“There are negative associations with GRC practices, as they suggest negative repercussions for acts which are out of compliance or expose companies to financial and reputational loss. But GRC needs to be seen as an operational and policy framework within which companies can pursue business opportunities and develop products in an environment in which the checks and balances are assured,” he says.
“Companies ultimately want to improve financial performance. Firms that have a pervasive and active risk plan can derive financial value. They can reduce inefficiency, fraud and wastage from key business operations. They can also enhance performance by incorporating risk intelligence in planning and decision-making,” Natarajan adds.
GRC is becoming a necessary capability in the IT arsenal, so CIOs need to understand the issues and become familiar with the strategies involved as GRC occupies more and more of their time. It has even been suggested that risk will change the nature of roles within ICT, with much greater focus in security roles on GRC and related issues. Aboualy points to the Internet Security Forum’s ‘The Modern CISO’ briefing report, which anticipated that the chief security officer is likely to split in two, with one function focusing on the technical aspects, possibly known as the Chief Information Technology Security Officer or CITSO; and the other aligned with the business needs of the role, the Chief Information Risk Officer or CIRO.
Common standards for compliance
International Financial Reporting Standards (IFRS) – finance
Sarbanes- Oxley (SOX) – finance
Basel II & III – banking
PCI-DSS – payment cards
ISO/IEC 31000 – risk management
ISO/IEC 27001 – information security
ISO/IEC 27014 – information security governance
ISO/IEC 38500 – information technology governance