Business units, IT and legal are constantly tasked with improving efficiency and each year they are asked to “do more with less.” Compliance is the thorn in the side of enterprises – both large and small.
Ernst & Young recognises regulatory and compliance risk as the greatest strategic challenge facing leading global businesses in 2008 (“Strategic Business Risk 2008 – the Top 10 Risks for Business,” November 2007).
IT Risk and Compliance
IT Governance, Risk and Compliance (IT GRC) is about striking an appropriate
balance between business reward and risk and encompasses the delivery of greater business value from IT strategy, investment and alignment and conformance with policies of the organisation and its external legal and
regulatory compliance mandates.
Primary benchmark research conducted by the IT Policy Compliance Group shows that the way to improve business results and reduce financial risk, loss and
expense is to increase or enhance the competencies, practices and capabilities
governing the use and disposition of IT resources.
The report, which incorporates responses from more than 2600 global organisations, measures the impact that improvements to data protection, regulatory compliance and IT service level resiliency have had on business results, including customer satisfaction, customer retention, revenue, expenses and profits.
The raw scores from the report clearly show that fi rms with better IT GRC results are enjoying much better performance when it comes to satisfying customers, retaining customers, and growing revenues and profi ts, than
all other organisations.
Based on the evidence, from least mature to most mature, the top organisational functions that make the most difference to improving IT GRC maturity include senior management, managers and directors in IT, legal counsel and the audit committee.
Businesses with the most mature IT GRC practices showed 17 percent higher revenues, 14 percent higher profi ts, 18 percent higher customer satisfaction rates, 17 percent higher customer retention levels, 96 percent lower financial losses from the loss or theft of customer data, are 50 times less likely to have customer data stolen or lost and spent 50 percent less on regulatory compliance annually.
Data loss prevention Financial loss due to a data loss or theft is not a question of if, but when. Firms that have a publicly reported data loss or theft can count on losing money.
The probability of making front page headlines for data loss or theft is once
every three years or sooner for companies that lag in compliance. Compared with
their not-so-compliant counterparts, compliance leaders signifi cantly decrease
their odds to once every 42 years or later.
One of most striking findings from the research is the correlation between
the loss of sensitive data and regulatory compliance results: firms that excel at protecting sensitive data also perform well on regulatory compliance audits.
Almost all (96 percent) of the organisations with the least loss of sensitive data are the exact same organisations with the fewest regulatory compliance defi ciencies that must be corrected to pass regulatory audits.
In contrast, the majority (64 percent) of the organisations with the most loss of sensitive data are the same organisations with the largest number of regulatory compliance deficiencies.
Action recommendations
To improve business results, reduce risk, loss and expense, organisations need
to increase or enhance their IT GRC competencies and practices. Based on the
report, the IT Policy Compliance Group recommends organisations take the
following steps to improve IT GRC:
• Staff the governance committee from senior business, financial, legal, regulatory and audit committee members
• Use a Balanced Scorecard, or similar tool, to improve the delivery of value and the performance results of IT.
• Drive improvements to maturity and business outcomes with measurable and continuous quality improvement program throughout IT
• Insist on monthly reporting to drive improvements
• Improve and automate technology controls to mitigate and avoid fi nancial risk, brand damage and business disruptions
• Improve the skills and automate the activities within IT assurance, audit and risk management
• Segment and limit, where possible, to reduce exposure and costs
• Manage change management and prevention to avoid higher fi nancial risk and cost inefficiencies
• Continuously measure/assess conditions, controls, objectives and policy to
maintain an appropriate balance between reward and risk
Author: David Dzienciol, Senior Director, Channels, Symantec, Australia and New Zealand