Since 1981, there have been over 114,000 new governmental regulations written in the United States. Most of the regulations passed in the last decade have an IT impact and are industry specific: well-known examples include Sarbanes-Oxley (SOX) Act of 2002, Federal Rules of Civil Procedure (FRCP), Health Insurance Portability and Accountability (HIPAA) Act of 1996, and Gramm-Leach-Bliley Financial Services Modernization Act (GLBA) of 1999. It's a regulatory jungle out there. When it comes to sorting them out, too often there is not enough cross-expertise among compliance, risk, governance, operations, technology, finance, accounting, and audit personnel. There are literally hundreds of thousands of regulations, and no single organization can keep track of all of them without strategic, integrated and thoughtfully planned Governance, Risk, and Compliance (GRC) programs that include automation. Combine all these factors with a traditional mentality of silo'd GRC procedures and manual support processes, and you get an alphabet soup of compliance that no one is comfortable with. Every federal and public company in the world's industrialized nations face the same regulatory and compliance challenges: quality management, quality improvement, governance and risk management, information management, and project management. Organizations that are either beginning a GRC program or tuning their existing one will experience a series of common pitfalls, and will need a plan for overcoming them. Considering the vast numbers of regulations and the enormity of the project, they will also immediately recognize the need for their Information Technology (IT) organization's involvement, but many will stumble with exactly what that means. Here are the five biggest pitfalls in IT Governance, Risk, and Compliance: #5: Thinking that GRC is all about technology and a quick fix. Throw a lot of expensive technology at the problem, and it will be auto-magically solved. #4: Not setting appropriate accountability and ownership. #3: Implementing GRC policies and procedures separately from IT-GRC policies. #2: Looking at controls independently rather than from an integrated perspective. #1: Not recognizing the value of IT-GRC to the business. A well conceived GRC strategy will use the common themes from the Information Security Triangle: Confidentiality, Integrity, and Availability as it applies to any project, such as document lifecycle, records management, disaster recovery, or business continuity. It is important to think of these projects as integrated programs that can be used, reused, and re-purposed for other similar compliance projects. The right mix of supporting technology that strings together an intelligent amount of automation can be used by the organization to manage the GRC program for reliable and predictable control points that any executive will be comfortable supporting. Editor's Note: As the end of the calendar year approaches, if you are looking for additional education on Sarbanes-Oxley compliance, The Compliance Authority has negotiated a special rate for our readers. Please use Promotional Code TCA2008 when you register for the three-day class, "Special SOX (Section 404) Training" and save $100 off the registration fee. Register at http://www.grcg.com/sox-class-dec-2008. |
 |
|
|
|
