The Trials and Tribulations of IT and Integrated Risk Management
Integrated risk management is personified when managing the risks of information technology (IT). There is arguably few topics whose influence reaches across all parts of an organizations value chain, from the back office to the front, from employees to customers, and from vendors to third parties. As a result, IT GRC (Governance, Risk, and Compliance) continues to be of focus. IT and risk management are making efforts to advance their relationship to understand, identify, and thwart unwanted exposures.
However, like any relationship, it is fraught with the realities of everyday life. IT and risk management typically have very limited budgets, are leanly staffed, and must prioritize competing priorities. The edict to do more with less seems to be an ongoing mantra for these groups. Unfortunately, this leads to inefficient and ineffective risk management practices. Michael Rasmussen, in one of his recent blog posts (1), cites similar challenges. He argues that uncoordinated activities and multiple IT risk approaches introduce complexity resulting in a loss of proper business support and increasing vulnerabilities.
How can GRC technology help?
Cutting through the complication and mire of disparate systems, structured and unstructured data, processes and practices to provide a holistic picture of the risk environment is a strength of a complete GRC software tool. There are a number of other benefits users should also consider in their GRC software:
- Rich data feed management to access, retrieve, and transform data from a full spectrum of sources (e.g., from systems such as Qualys or third party sources such as regulatory agencies, Lexis/Nexis, etc.)
- Assess and demonstrate compliance with applicable laws and regulations
- Security incident response management capabilities to codify and sustain response plans
- Continuous monitoring to identify non-conformities (e.g., vendor or policy exceptions) and validate the control environment (e.g., business continuity, workflow management, KRI and other metric tolerance and threshold levels)
- Easy to use, implement, and integrate into the existing IT environment
- Monitor progress of controls, their effectiveness, and issue management activities using dashboards, status tracking, and robust reporting capabilities
- Configurable: to make it relevant, efficient, and adaptable to stakeholder needs
Some think there is value of having a point solution to address specific facets of risk such as information security and compliance. Risks however, are rarely independent. Links between risks become more transparent when viewed across the value chain. Risks that tend to have the most significant impact tend to have a snowball effect, gathering size as it makes its way through the organization. An effective, integrated risk management software must be able to lever the data throughout the company and pull it together to make sense of its overall affects. Only then can there be the confidence that IT and risk are working in harmony.
1: GRC Pundit, Complexities of IT GRC Hinders Organizations, retrieved from http://grc2020.com/2016/10/26/complexities-of-it-grc-hinders-organizations/, accessed October 2016.