How to Implement Your GRC Technology

IMGCAP(1)]Compliance and data security have recently been in the spotlight, due to major breaches at Experian and Home Depot, among numerous others. As a result, companies everywhere are facing an increased desire for data privacy and compliance regulation. In fact, compliance requirements – including the Dodd-Frank Wall Street Reform and Consumer Protection Act and anti-corruption regulations – have increased dramatically over the past few years as legislators seek to protect customers and mitigate the issues that led to the 2008 financial crisis.

And compliance and security attention doesn’t end with lawmakers. According to Grant Thornton LLP’s survey of more than 400 chief audit executives from U.S. organizations, 31 percent of respondents ranked compliance risks as their top concern, and 42 percent believe that data privacy has the most potential to impact company growth.

Despite these findings, only 29 percent of respondents are using a Governance, Risk, and Compliance (GRC) technology tool, and 22 percent of respondents believe their organization is effectively leveraging GRC technology. Why is there a major gap between what is important and what is occurring? The answer is simple: There is a disconnect between policies, practice, and controls within many organizations. Consequently, businesses create these policies without a true understanding of “life on the ground in the company.” This is made worse by technology not meeting all of the needs of a company’s various stakeholders, resulting in decision makers rejecting enterprise risk management (ERM) technology proposals. Best practices for security – especially when dealing with sensitive financial information – have focused on “building walls” around the perimeter to “keep people out” and “keep information in”. However, as you build a ten-foot wall, your opponent brings an eleven-foot ladder, and so on.  

While perimeter-based security is essential, it is only one strategy incorporated into a larger course of action. Organizations must also look at information as it is managed throughout information gateways – including file shares, websites and applications, enterprise collaboration systems, communication systems, and social platforms. By thinking holistically about managing compliance and maintaining visibility, data classification and control, the walls become less penetrable.

In order to fully understand what capabilities an organization needs for ongoing operations, practitioners should conduct a vulnerability assessment. These are crucial when starting an audit to identify which information requires heightened attention and where it is stored. These programs include enterprise collaboration systems and interactive gateways, such as file shares, SharePoint portals, cloud platforms, social networks and websites.

However, identifying these issues across thousands or millions of documents is impossible without automation. So it is important to look beyond features that only check the boxes. All accountants – whether in tax, financial, government, forensic, management, project or social fields – have other information to monitor; they should not be bogged down by this, too. Because information is constantly created, ongoing vulnerability assessments help create a comprehensive lifecycle approach to risk mitigation. When choosing the correct technology, consider a solution that can:

  • Discover data across gateways to shed light on dark data and other risks. Sensitive information may not be obvious but can open up an organization to issues if leaked, especially when handling a customer’s finances.
  • Scan content in motion or at rest against out-of-the-box or customized checks for a range of privacy, information assurance, operational security, sensitive security information and accessibility requirements. Financial organizations often require heightened security based on government regulations, but can also be affected by subject matter and size.
  • Drive enterprise classification and taxonomy with user-assisted and automated classification for all content.
  • Take corrective action automatically to secure, delete, move, quarantine, encrypt or redact risk-defined content. These actions reduce costs by eliminating the need for increased hiring to continuously monitor information security initiatives.
  • Enhance incident tracking and management with an integrated incident management system in addition to trend reports and historical analysis to measure improvements over time.
  • Monitor data and systems on an ongoing basis to demonstrate and report on conformance across enterprise-wide information gateways and systems.

Gaining executive buy-in is one of the greatest obstacles to overcome when proposing GRC technology. Traditional approaches for “return on investment” include cost reduction and productivity enhancement, which can be driving factors for executive purchasing decisions, but smaller themes can also result in investment. For example, many companies are now thinking about their data, and particularly customer information as an unrealized “asset.” However, that data may be lost in file shares or data silos, undiscoverable and unprotected. So what can be seen as a “risk” can be viewed as an “asset” when accessed and protected appropriately.
Reference these GRC technology advantages when speaking with decision makers:

  • Significantly reduce compliance costs
  • Increase an audit team’s productivity
  • Help organizations focus on higher-value activities as opposed to administrative tasks
  • Promote better decision-making as a result of greater information access
  • Heighten management and organizational effectiveness
  • Improve communication with stakeholders
  • Enhance accountability within the internal audit group and for business process owners
  • Increase confidence in the quality and reliability of control systems

Remember that GRC technology use does not strictly impact the security suite – every employee can reap the benefits. Keeping your client’s sensitive information safe is of the utmost importance and GRC implementation can ensure this safety on an ongoing basis. However, a successful implementation does not happen overnight. Despite the road ahead, GRC platforms and applications can foster safe, effective and productive environments for everyone. It’s time that we take the steps to make GRC a staple and better our relationships with not only our customers, but our fellow employees as well. 
Dana Simberkoff is the chief compliance and risk officer for AvePoint.

For reprint and licensing requests for this article, click here.
Technology
MORE FROM ACCOUNTING TODAY