The financial-services industry, like every other, is awash in acronyms, and one that's been gaining ground lately is GRC. Used to describe the interdependent disciplines of governance, risk and compliance, GRC refers to the people, processes and technology banks invest in to comply with regulations and manage risk as part of effective corporate governance. GRC connects the dots between many of other acronyms-SOX, FFIEC, GLBA, PCI DSS-not to mention every other regulation and mandate that touches the bank.
In fact, GRC has already produced an "offspring" of sorts-IT GRC (information-technology governance, risk and compliance.) IT GRC augments and complements the overarching GRC landscape by addressing the unique role information technology plays in GRC.
With respect to compliance and risk, IT consumes the majority of bank employees' time and effort. A whopping 80 percent is spent on developing, implementing and testing controls and remediating issues related to failed controls, according to IDC. Managing information, applications, systems and networks is complex, requiring sophisticated and integrated technology and processes. IT GRC addresses technology's specific challenges, providing methodologies and technology that IT can effectively use to cut time and costs while improving the quality of risk and compliance information.
Banks and other financial institutions are no strangers to regulations, and currently face three challenges that, together, are driving them to understand and invest in IT GRC to create and automate processes to manage compliance and security risk in a systematic, quantitative and comprehensive fashion. These challenges include a shift by regulators to risk-based compliance; a growing regulatory focus on an institution's accountability for third-party service providers; and the breakdown of compliance and risk-assessment processes that can't scale to support multiple regulations and mandates, especially with respect to information technology.
Changes in how regulators are approaching compliance have a significant impact on IT and also provide opportunities to improve efficiencies and the quality of compliance and risk activities and information.
For example, it used to be good enough to choose a small number of critical business applications to include for risk assessment as part of the Sarbanes-Oxley compliance audit cycle. But now regulators no longer accept these small samples as adequate or representative.
Quite simply, they do not provide an enterprise perspective of the information-security risks that banks face. It is not uncommon for large financial institutions to have to scale risk-assessment activities immediately from a sample of 15 to more than 400 or 500 high-risk applications. The challenge IT faces is how to scale. How well they solve it impacts the entire business.
The upside is that, if they do it right, managers throughout the entire organization can use this new risk information to make better business decisions that could ultimately result in a meaningful competitive advantage.
Another area of significant impact on information governance, risk and compliance is the dependency of banks on outsourcing critical aspects of the business to third-party service providers. As banks strive to control costs, outsourcing has provided a useful tool.
But that tool comes with a cost. More third-party relationships increase the complexity of managing compliance and security risk across outsourced operations and present new accountability challenges. Where is the bank's data and who has access? Are information assets safe? How can the risks be most effectively managed? According to TPI, an outsourcing consulting company, such an approach increases the governance burden, estimated at between eight percent to 15 percent of the project's cost.
A final area of concern is the unwieldiness and expense of current approaches to managing IT compliance and risk, especially as the number of regulations and mandates continues to grow. With the imposition of each new regulation, the common approach has been simply to add a new compliance team with a new mission and scope.
The final result? Many different teams with many missions ask the same questions, create significant inefficiencies, and hamper banks from comprehensively understanding their risk position.
Redundant policies and controls are common. Teams interpret the same risk data differently. Compliance and risk information is siloed with no ability to see the big picture. Teams often cannot see redundancies across regulations or share a common interpretation of risk information, either across compliance and risk teams or management at large. IT GRC provides a means to eliminate those redundancies, improve the consistency and quality of risk data, save time and reduce the demands on managers.
As these trends continue to apply pressure, banks should assess whether their current processes can scale. As risk assessment becomes a center point for compliance, bank managers need to ask whether their institutions are ready to scale from tens to hundreds of assessments overnight.
Second, banks should review their current approach to managing their third-party vendors and ensure that compliance and risk data can be encapsulated and aggregated with the bank's own data easily to draw a comprehensive risk picture and provide evidence of compliance in line with regulatory expectations. If the bank is still relying on emails and spreadsheets, perhaps the bank needs to take a closer look at its approach.
Finally, banks should review their approach to compliance. Understanding the overlaps among policies relating to separate regulations can be a real eye opener. Why absorb the time and employee expense of implementing and testing the same control many times, when once would suffice to meet the requirements of all relevant regulations?
IT GRC allows banks to effectively manage information-technology assets and processes with respect to compliance. It provides the means to consolidate and integrate the plethora of technical data and to systematically gather, quantify and prioritize security-risk data across assets, operations and regulations, thereby improving risk mitigation.
Finally, it provides a means to control the cost of IT compliance - a significant sliver of the $6 billion spent in 2006 to comply with SOX - the ability to understand which security risks really matter, and the tools to communicate what those risks mean in business terms that every manager can understand. In an age of increasing information overload that may be the greatest gift IT GRC delivers - a way to map all the regulatory acronyms back to one-ROI.
