Governance, risk management and compliance — Protecting critical business assets

The focus on isolated issues is beginning to change, however. "It is becoming more prevalent for different groups to come together as working committees to coordinate their activities, and the results can be transformational," Wisniewski says. That effort can be difficult, because companies generally do not have a GRC department; more likely, the committee consists of the chief financial officer, chief risk officer, chief compliance officer, chief information officer, the audit department and chief counsel, among others. Those individuals may or may not have a history of working together, but over time, productive relationships can develop.

Focus on hot spots

Metrics play an important role in governance by bringing objectivity into the analysis. A business owner who is speaking of risk from a subjective viewpoint can paint any picture without really identifying key issues," Wisniewski says. Part of governance is creating key performance indicators and key risk indicators to look at specifics such as financial, reputational, regulatory, business continuity and human resources impacts. "Companies should focus on the hot spots and start to implement these indicators," Wisniewski advises.

Technology contributes to governance by providing structure, reporting and helping employees understand the governance process. "Especially for large enterprises, tracking becomes impossible without a system in place," Wisniewski says. The Protiviti GRC portal provides visibility into corporate risk and helps support internal audit processes. "The consolidation of reporting is not feasible for companies that are using spreadsheets to track risk management," he says. "In addition, software helps execute GRC processes because people get in tune with the goals." 

Social media: A GROWING RISK

An emerging new risk in the GRC domain is the impact of social media. According to a study by Osterman Research, 50 percent of companies allow Twitter to be used in their organizations, although only 34 percent of IT decision-makers consider it to be a legitimate business tool. Another study by Osterman found that only 18 percent of organizations have a detailed and thorough policy on use of Twitter.

Actiance has been providing security and compliance controls for real-time communications for more than a decade, since the time when people started using instant messaging (IM) to communicate. "We saw a match with our experience and the need to address risk management and compliance for social media," says Sarah Carter, VP of marketing. "Actiance Socialite allows controls to be placed on social media applications with respect to the features they can access, and provides the ability to log activity by users." In addition, it archives content that results from social media use.

New features such as the integration of Skype with Facebook can also create new risks. "The camera used in Skype can pick up information from a white board behind the user that might not be permissible to share," Carter says. Another Actiance product, the Unified Security Gateway, protects users from malware that can come in with applets such as Angry Bird or other add-ons to Facebook. "A lot of malware is now starting to be propagated over social networks," Carter says. "USG protects organizations from these intrusions."

Social media presents unique problems not only with respect to its introduction of new technology; it also brings different attitudes. "People tend to be much more casual in their use of social media," Carter says. "They are more likely to be spontaneous in their statements." The look and feel of social media as compared to traditional enterprise applications augments that tendency. In addition, younger users, who have enthusiastically adopted social media, also tend to be more open in their communication, which magnifies the effect. Nonetheless, Carter cautions, "All the rules for any business communication still apply, so from a risk management and compliance viewpoint, social media should be managed the same way."