Many analysts and pundits have talked about the "problem of silos" and some of the challenges that they create in regards to compliance initiatives. But, it's useful to identify two distinct, but related, problems. I will call them the twin problems of "information silos" and "functional silos". Let's look at each one to see how a unified approach to governance, risk and compliance (GRC) can help to solve both of them. Information Silos The meaning of "information silos" is fairly obvious: It refers to pockets of information spread around an organization, which contain similar (or in some cases identical) data relating to compliance activities. A very common example is compliance information (for example, controls testing status information) stored in multiple spreadsheets and passed around between groups. And, of course, when the same information is stored in multiple places, the opportunity for inconsistency is constant. The reason why this is such a pernicious problem is that the existence of these silos is often invisible to the people who need to know where this information is kept. A simple (and common) example is that of a Sarbanes-Oxley Act (SOX) program team that conducts a test of SOX controls, some of which might be failing to operate effectively. When this failure is identified, the SOX team can attempt to initiate a project to remediate these controls. A problem occurs, though, when these controls are also used for Payment Card Industry (PCI) compliance, and that program team is unaware of these control failures. The result is higher risk for PCI compliance that is invisible to upper management. The lack of a centralized information repository related to compliance, as well as the lack of harmonized controls across multiple regulations, are at the heart of this significant problem. This situation also results in a significant amount of duplicated work, thereby creating inefficiencies. For example, some controls may get tested redundantly, simply because information about previous tests is spread out around the organization in multiple spreadsheets. Since there is no "single source of truth" about controls status, each program team must often conduct its own testing. It also makes it very hard to identify the total costs of compliance, since cost information tends to be dispersed around the organization and, more importantly, not tracked on a formal basis across all these initiatives. Most companies tend to spend much more on compliance than they are aware, because these "hidden costs" don't get captured sufficiently to help measure their total compliance costs. As with almost any problem of duplicated information, the situation only gets worse over time. New regulations mean that there is more controls testing going on and probably more groups within the company that need to obtain and track this type of information. What starts out as a relatively tractable problem very quickly becomes a major one. Having considered these serious problems of information silos, it should be noted that centralizing risk and compliance information is an organizational challenge. Simply finding where this information exists can be difficult for a large organization, and there are often major political challenges when attempting to centralize the information (and therefore remove it from local groups). Functional Silos This term relates to independent risk and compliance initiatives that are managed in such a way that there is little unification or synergy between these two critical areas. Even if information is consolidated across various compliance activities within the company, unless this compliance information and activities are coordinated and unified with the information and activities of the risk management team, inefficiencies and increased risk may result. For example, if certain controls fail and impact the compliance status, they also will impact some areas of risk. Without a centralized way of managing all risk and compliance information and initiatives, the effectiveness of both areas will be reduced. The obvious solution is to create a way of centralizing information about risk and compliance, and mapping (cross-referencing) it, so that everybody can always know the current status of all information objects (such as policies, controls, risks and remediation efforts) at any time. It's this mapping that gives this approach its power. It enables managers to immediately understand (and be able to visualize graphically) the impact of a change in any object on any other object within the environment. For example, if a control fails, a unified approach to risk and compliance would enable you to view the impact of this on a current risk, the state of compliance for a given regulation, progress towards a strategic business objective, and the like. It's like having an easily customizable dashboard that shows you everything that's happening in your risk and compliance environment, and lets you monitor precisely the areas that are most important for your business. The benefits of this unified GRC approach can be profound. They include increased collaboration, improved visibility into risk across the enterprise, enhanced compliance project execution, improved visibility into total compliance costs, and very importantly, increased efficiencies and automation throughout the compliance process lifecycle. Reduced risk. easier compliance. and reduced costs - three very significant business benefits to be gained from a unified approach to risk and compliance. The bottom line is that silos (both information and functional) are probably the most common challenge in risk and compliance, but with sufficient planning (and political finesse), they can be eliminated and the problems they create can be solved. Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he's the Senior Principal Product Marketing Manager for GRC at CA. Previously he managed the large computer operating system development group at Digital Equipment and Prime Computer, and managed the Distributed Computing Product Management Group at Digital. More recently, he has held a number of Product Management positions, including Product Manager for the SiteMinder product family at Netegrity. |
 |
|
|
|
