GRC and performance: toward an integrated view
A surprising number of companies are continuing to work with manual solutions to keep track of compliance issues, according to Lortz. "At this stage in the maturity model, companies are using spreadsheets to catalog the risks and e-mail to communicate among risk practitioners," he says. The next step is to leverage technology to automate compliance for a department. "There may still be silos, but at least a given department can eliminate redundant tasks and reduce costs through automation," he adds.
At the third stage, a chief risk officer or chief compliance officer can begin to bring together risks and controls, set standards and identify key stakeholders. Organizations can then take a more enterprise-oriented approach toward use of technology, find opportunities for sharing information and leverage economies of scale. "Some control testing might apply to multiple compliance initiatives, for example," says Lortz.
Finally, at what Lortz calls the utopian stage, organizations are using their investments in risk and compliance to optimize their business. "At this point, which is rarely achieved at present but is worth working toward, companies can link risk to performance and identify key indicators that align nicely with the outcomes on their business," Lortz says. Those key performance indicators (KPIs) can then be made available to managers, who can make more informed decisions to improve corporate performance.
Although KPIs that are related to GRC do not encompass all measures of performance, they should ideally be presented as an integral part of a performance assessment. Few companies have been able to fully integrate all their GRC activities, and fewer still have managed to link them to CPM, but the stage is set for significant progress. The motivating drivers are present, and better enabling technology is now available to support the effort.
Compliance meets IT security
IT security is another arena in which compliance plays a large role. Vigilant is a professional services company that helps customers develop and implement security information and event management (SIEM) systems. SIEM systems work to coordinate a variety of security monitoring software products to correlate and report on system and network behavior.
"Compliance is often the catalyst that jump-starts a security monitoring program," says J.B. O'Kane, principal consultant at Vigilant. "It represents a high-profile problem area, whereas some of the other aspects of security, such as system access control, sound mundane even though they also are important."
Vigilant helps customers comply with ISO 27000 series, a family of standards for information security management, and ISO 31000, a new international standard on risk management. O'Kane advocates taking an approach that allows companies to coordinate their activities so that steps taken to comply with one requirement can be used for another.
"Many of the use cases we develop for IT security monitoring map across multiple compliance regulations," he says. "For example, a certain requirement for managing information for Sarbanes-Oxley might also apply to the Payment Card Industry (PCI) Data Security Standard, a set of requirements administered and managed by the PCI SSC, an independent body created by the major payment card brands.
Compliance does not always equal security, O'Kane maintains, which is why it's important to get a solid IT security monitoring program in place. "Compliance is necessary and desirable," he says, "but compliance with standards and regulations may take years to get in place, while security threats are emerging constantly."
To keep on top of IT security risks, Vigilant advises clients to develop and monitor relevant security operating metrics and then link such metrics to key IT risk indicators (KRIs). "The Holy Grail is to then link those KRIs to key performance indicators (KPIs) that matter most to the performance of the business, and then report such KPIs to appropriate C-level audiences," O'Kane says.