Luc Brandts, CTO at Nasdaq BWise
Governance, risk management and compliance demands that firms tap into a broad spectrum of the business. In today’s world of complex infrastructures and even more complex risk scenarios, the evolution of technology in GRC is far from over.
IT is an increasingly important component of any business, and as a result an increasingly important source of risk. This requires the discipline of IT GRC to be reconsidered.
Defining the scope for IT GRC
IT has a huge impact on business risk – and that impact is on the rise. This is one of the major reasons why it needs to break away from being a purely embedded function. By creating a separate discipline, firms can put in place the right tools, controls and processes to manage it effectively within the wider GRC framework.
Often, firms will think of IT risk as almost synonymous with security. Nobody would deny security’s importance. However, IT GRC must encompass a far broader range of factors, including technology infrastructure, integration of multiple data sets and databases, applications and development environments, operations as well as numerous third party influences on IT. There are countless ways in which technology is woven among the business and, therefore, influences risk.
As such, effective IT GRC requires IT to be embedded across the GRC pillars. Firms can only really gain control by integrating it with financial risk, regulatory risk, legal risk, operational risk and HR risk. Each will have technology-related controls and consequences. In HR, for example, only part of the risk is down to HR – the rest, such as security checks or access rights, are about IT.
Tackling the complexity
While there is a strong case for IT GRC, many firms will find it challenging to implement. Complexity is a major hurdle – and comes in many forms.
Hundreds or even thousands of applications are running on many, many servers in several data centers or in the cloud. These applications serve a multitude of business processes in different business units across the globe. On top of this, systems applications and servers are vulnerable to (internal and) external attacks. As a result, there is a strong need to get a grip on all this. Have software to manage the complexity.
Creating the IT GRC toolkit
So capturing the complexity in business, IT and the vulnerabilities is an important first task of any IT GRC system. Monitoring all these systems, logs and processes is an enormous task, which means firms can struggle to know where to start. It is impossible to follow-up on the millions of tasks that may follow from such monitoring activities.
To cut through and reduce the complexity, firms need to apply effective risk management processes on the technology itself – and tackle the issues from a business point of view. For example, it’s impossible to determine the importance of a particular server, or an application that it runs, without knowing and truly understanding its business function. If firms lose web access for a particular online store front, or the ability to produce reports for a specific area, it’s not just a temporary operational inconvenience. The effect on the business could be far reaching and longer lasting than the glitch itself.
An important task to gain a handle on all the priorities is to conduct a risk assessment, understanding the business impact and the vulnerability. This equips firms with insight into which of the millions of alerts they need to focus on the most – and, therefore, what actions they need to take. This is where technology becomes vital. There is simply no way of handling the millions of relationships with IT and the various risks that are continuously changing without the right tools to monitor and filter everything.
Crucially, all of this needs to be simple to implement and, therefore, easy to integrate. Systems continually change while data expands rapidly. If firms are left struggling to put everything in place for IT-GRC over several months or even years, it becomes an ineffective and perhaps pointless task. Even more so, because it needs to be adapted to the ever-changing situation continuously.
With the right easy-to-use tools, firms can drive forward the next phase of the technology evolution within GRC. By giving IT the spotlight it deserves – and needs – firms can be sure of delivering valuable and actionable insight for the business.
Many have tried before, and focused on the complexity. However, this hasn’t worked which is why there is now a need for a solution that focuses on simplicity and managing complexity behind the scenes