Risky Business
How “Avoiding Trouble” has Become “Risking Trouble”
I entered into this relatively newly amalgamated area of "governance, risk management and compliance" (inevitably acronymned "GRC") with a false understanding. I assumed that compliance was what you had to do, governance is what you should do, and risk avoidance is what you achieved if you did the first two things correctly.
That, I have learned, is only sort of correct. But sort of not. Which should come as no surprise to anyone who has read these columns, nor to me. I should know better. I never get it right the first time.
Seems that whether it’s managing content for business purposes, or managing regulations for compliance purposes, or even managing disaster recovery for business continuity purposes, a "risk-based approach" is all the rage.
Governance and the Lack Of It
"This term—GRC—that has achieved currency lately, describes a synthesis of disparate activities that have already been going on for a long time. But compliance has become much more pervasive; the need for transparency has become more important; and the realization is that organizations have gone at it piecemeal," says David Hurwitz, vice president of governance marketing for CA. "The reason ‘risk’ is now part of it, is that rather than going at it blindly, organizations are now taking a risk-based approach... even auditors have realized that they need to evaluate processes based on the amount of risk they expose to the organization.
"Take Sarbanes-Oxley for example," he continues. "SOX now has a new auditing standard that allows a risk-based approach. The question now is, ‘How rigorous must we be in auditing every single process...?’ Before this change to SOX, every process—irrespective of how trivial it might be in terms of financial exposure—had to get audited. I think it’s fair to say that was a very simplistic view, and it generated a great amount of cost, without any appreciable benefit in the reliability of the financial statements. So now, the rules look at the reality of what the risk is, and that’s leading to a revolution in how executives think about risk and compliance."
And that "revolution" is just about as old as the Industrial one; it’s all about creating a systematized way to accomplish a task that was originally considered a manual one. "That’s why GRC is coming into prominence now," states Dave. "In the early days of the ‘compliance revolution,’ organizations responded by throwing people at it, and they incurred tremendous costs. Now the realization has set in that the genie’s not going back into the bottle, and we need to apply this degree of rigor forever," he says.
"There are only going to be more regulations and internal policies" to cope with, says Dave, so the marketplace is looking at ways to accomplish the job in more automated ways, and with fewer dollars and human resources. "Given that these regulations aren’t going away, the market is saying, ‘let’s see if there’s a way to get more systematized about it.’"
In terms of deployment, Dave insists that no single part of the organization is best prepared to determine that "systematized" approach. "These initiatives are best accomplished through a group effort," says Dave, "that includes IT, business operating groups, legal and executives. But this has been a difficult demand for organizations, mainly because it’s been done manually for so long. It’s not a project... you can’t buy some software, solve the problem and walk away..."
Risks of Risk Management
Early in what Dave calls the "compliance revolution," there was a fairly lengthy period during which the exposure that executives themselves apparently personally risked seemed to be the lead headline. "Taking the perp walk on the Six O’Clock News" was how some put it. OK... that’s how I put it. But there was justification; SOX and other regulations seemed hell-bent on making the fat cats pay for the sins of their companies, and the public lapped it up like a kitty with a bowl of buttermilk.
"The ‘we’ll go to jail’ thing has been heavily overplayed," says Dave. "Nobody’s going to jail for SOX violations. But all the same, failure’s not an option." So, does that mean regulations no longer have teeth?, I ask. "Of course not," he says. "When was the last time you heard of a public company failing its financial audit? But does that mean a financial audit doesn’t have teeth? No. It simply means that public companies now have an even greater need to automate its processes. Can you imagine a FORTUNE 500 company trying to meet the standards that KPMG or Ernst & Young are going to ask of them without a modern online accounting system? It’s inconceivable."
And the same goes for records, documents and any other form of electronically stored content. The vastness and complexity of communications and records make it impossible to imagine an organization being prepared for litigation, regulatory compliance or even efficient business practice without an effective content management plan in place. I am totally in agreement with that.
But, I wonder aloud to Dave, since "risk management" is more or less a judgment call, and the cost-justification is difficult to prove, don’t companies treat it as you and I would treat an insurance policy, and thus spend the least possible and hope for the best?
"No," he states definitively. "If you look at insurance at the highest possible level—you see this from business insurers all the time—you’ll find that companies work to reduce their risk, and if you do it correctly and show that you’re taking the appropriate actions, you’ll find that your insurance will cost you less. For example, if you can prove you have fewer accidents, your workers’ comp will go down. Or it you can prove you have appropriate loss prevention in place, your rates will go down. The same goes for the things we’re talking about."
The OTHER Risk Scenario
When we set out to organize this white paper on governance, risk and compliance, we left it somewhat undefined. And sure enough, we found that there are as many definitions as there are questions to be addressed. Tom Love, the director of sales engineering for the DocuShare business unit at Xerox Global Services, looks at "risk" from a different viewpoint: disaster recovery and business continuity. But he also has plenty to say about information governance, and the impact it has on business operations.