Governance, Risk Management and Compliance (GRC)

(1)

Clive.Longbottom@Quocirca.com

Rob Bamforth Quocirca Ltd Tel: +44 7802 175796 Email:

Rob.Bamforth@Quocirca.com

Governance, Risk Management and

Compliance (GRC)

Dealing with GRC in an increasingly complex information -centric world

October 2013

An organisation has multiple stakeholders that need to be communicated

with or reported to on a regular basis. Employees, partners, customers and

suppliers are part of this community, alongside shareholders, trade and

government bodies. Ensuring that all the stakeholders’ information needs

are met requires a holistic approach to managing information – the creation

of a GRC platform.

(2)

Governance, Risk Management and

Compliance (GRC)

Governance, Risk Management and

Compliance (GRC)

Dealing with GRC in an increasingly complex information-centric world

GRC is not a single

issue – it is a complex

mix of needs

GRC involves a range of issues covering internal and external information management and reporting. Good GRC enables an organisation to keep its internal stakeholders (employees, contractors, consultants) informed, while also enabling smooth information exchange along the value chain of suppliers and customers. It also enables an organisation to meet its multiple requirements against external compliance – whether these are to meet the needs of a body such as the ISO or the legal needs of central government bodies.

A GRC platform

needs to be set

against an

organisation’s risk

profile

A total GRC platform may be beyond the financial reach of many organisations. Each organisation should ensure that it understands its own stance on how much risk it is willing to carry at a corporate and individual company officer level, and what this means as to how much it has to invest in any GRC platform. However, IT should ensure that the basic IT platform mitigates as much information risk as possible through providing an all-round view of available information sources.

Information silos are

here to stay – but

create GRC problems

Applications, by their very nature, will create data in their own environment. Equally, end users will create documents and other files on file servers that are not easily mined in the same way as database sources. Implementing a system that monitors information streams and creates a complete index of information provides an overall view of the organisation’s corporate information assets.

Data is data – it

needs to be distilled

into information and

then knowledge

Data on its own has little value, and imprecise or wrong data can dilute any possible value gained through analysis. Data sources need to be checked and ‘cleaned’ to ensure that data that should refer to the same object is correctly linked. Master data management (MDM) is a way to achieve this, creating single views on referential data such as customer and supplier names, product items and so on.

A suitable approach

not only helps GRC,

but also corporate

decision making

Creating a platform where information can be regarded as a single pool of resource enables better GRC, but it also provides better analysis of the information to aid in corporate decision making. A single platform covering all information management needs is possible – and the value obtained from it will help define an organisation’s success in the markets, as well as its capabilities to meet its GRC needs.

A GRC platform

moves away from a

‘perception of

capability’

Point solutions tend to lull an organisation into a belief that they have compliance with the needs of a single GRC issue, such as DPA. However, in many circumstances, these point solutions do not have any reference to other GRC needs and, as such, one ‘solution’ could actually break the rules around another data management issue. A suitable GRC platform should be granular enough to ensure that any person only views what they are allowed to see, so maintaining compliance across all areas.

Conclusions

GRC is a complex and increasingly onerous issue that organisations are struggling to deal with. The only real way to manage the multiple different aspects of GRC is to create an overall information management platform that ensures searching, analysis and reporting is carried out across all information sources available to an organisation. Such a GRC platform can transform how an organisation operates; internally, externally and legally. A suitable platform also enables better, faster decision making, creating a more competitive organisation.

(3)

Governance, Risk Management and

Compliance (GRC)

GRC – it’s a mix of things

Many seem to believe that governance, risk management and compliance (GRC) is actually one thing wrapped up three different ways. The focus seems to be on the legal aspects of managing a business, in making sure that the organisation is governed in a manner that minimises the risks of not being compliant, so avoiding fines and possible sanctions against the organisation’s senior employees.

However, this should not be the case. There are different aspects that should be borne in mind, as follows:

Internal governance

An organisation will have a set of ideals and rules that everyone involved with the business should follow. These may be set out as part of a corporate social responsibility (CSR) statement, as part of an overall mission statement, may be access to certain information such as regular performance updates and statements of trading conditions, or may be unwritten understandings between the organisation’s stakeholders (employees, customers, suppliers and shareholders) as to what is expected from the business on being able to access information needed. The organisation must be in the position to quickly and cost-effectively provide the information needed to meet these needs – it has to be able to provide a suitable level of governance against its own needs.

External governance

As well as maintaining the needs of its own stakeholders as to their information needs, an organisation may choose (or have demands placed upon it by its own customers) to partake in market-specific accreditations, such as ISO or BS standards. These are not necessarily legal requirements, but are helpful in meeting the needs and perceptions of others in order to help bring them on or maintain them as customers. For example, the ISO 9000 family of standards are the most widely accepted measure of whether an organisation has management processes in place that can help ensure consistency and quality of product or services. Many other organisations, particularly in the retail space, will want to be able to demonstrate that they adhere to requirements placed upon them by original equipment manufacturers and others so that they can use an accreditation ‘flag’ or other demonstration of additional capability to differentiate themselves from their competition.

Risk management

Essentially, an organisation has to be able to understand its own corporate risk profile in order to be able to manage the risks appropriately. As in life generally, it is impossible to completely eliminate risk from everything, but making sure that the variables concerning risk are known and the costs to the business should the risk not be managed will help in ensuring that suitable management can be put in place.

In many cases, the risks involved are down to how information is managed. This may be through data leakage; not being compliant to either internal, external or legal policies; or through poorly optimised usage of the information assets.

Legal compliance

There is an increasing legal load being placed on organisations. Statutory documents such as corporate accounts must be delivered to central bodies by specific times; in the UK, the new move to pay as you earn (PAYE) in real time (known as RTI) means that certain information has to be made available to HMRC as soon as an employee is paid any monies.

In the finance sector, the Financial Services Authority has been replaced with the Financial Conduct Authority, which requires documents to be delivered centrally according to the Capital Requirements Directive (CRD) instituted under Solvency II and Basel III. Pharmaceutical companies are required by the FDA to be able to deliver reports on drug tests. Automobile companies increasingly need to be able to aggregate data and instigate vehicle recalls for remedial actions to be carried out. Food companies are in a similar position – if a problem in food quality has been identified, then

(4)

Governance, Risk Management and

Compliance (GRC)

central bodies will require that an organisation can quickly and effectively provide reports on the whole chain of where the food was sourced and processed, how it was moved through the different stages of logistics, and how it was stored and managed in the shop itself.

Every organisation falls under data protection laws. If there is a breach of data security, it may be a case of dealing with all the above aspects of internal and external governance, risk management and legal compliance in order to deal with the issue. Speed will be of the essence – but it will be effective speed that is required to prove to all concerned that the problem has been contained and that lessons have been learned. Even better would be to prevent the issue from occurring in the first place.

Every organisation will have some legal requirements for reporting; most will have multiple issues they are dealing with. Herein lies the problem – an approach of dealing with data and information problems as a set of different issues is doomed to failure. GRC needs a joined-up approach; one that looks at all available information from many different sources, yet does it all transparently and rapidly to meet the organisation’s needs.

The problem is that standard data reporting, such as existing business intelligence (BI) systems, do not work well in these situations. BI tends to look only to relational data – and this is only a small proportion of the information an organisation now has stored. Office documents, emails, web searches and other information assets need to be included in the GRC actions – and this needs a more complete and embracing platform to be in place.

Silos don’t work

If you Google for “data protection act software”, you will get nearly 19 million items back. Likewise, “capital requirements directive software” results in over 2.5 million; “retail product recall software” gives nearly 9 million results. Each of these is trying to deal with a specific issue.

This ‘best of breed’ approach used to be the way that organisations looked at acquiring technology solutions: the idea was that by going for the best system in each area, then the company would be able to out-perform its competitors.

However, this may not work in today’s businesses. As an example, let’s take a product recall. The original product manufacturer identifies an issue that requires a product recall – maybe a power supply that runs a risk of overheating. The manufacturer could put out adverts in as many outlets as possible asking people to return the item for fixing or refund. This runs the risk of gaining a small return – many of the items concerned could still be out there as the owners don’t see the recall notice or assume that it doesn’t apply to them.

Far better for the manufacturer to go to its resellers and get them to use their customer data to identify every buyer and get in contact directly with them and provide them with data as to how to return the item, knowing that as many buyers as possible are then contacted directly.

This may be a multi-tier environment, however – the manufacturer may have gone through distributors who may have gone through second-tier distribution to multiple resellers. It would be quite easy for a problem to arise in such a complex process where information was made available outside limits previously agreed with the customer – and now the data protection act becomes part of the equation.

Unless the product recall system is completely aware of and compliant with the data protection act requirements, it is a useless system. If the channel partners are provided with information that the customer has not agreed to be made available to third parties, then laws may have been broken – and the product recall moves from being a corporate brand issue to a legal issue. The perception of capability may have been provided through the chosen system – the actual issue of product recalls has been dealt with – but the overall problem, that of dealing with data as intellectual property and as personally identifiable data (PID) that has an inherent value to the original owner, has been missed.

(5)

Governance, Risk Management and

Compliance (GRC)

Another example: shareholders require regular reports on the financial shape of the organisation. If this is based purely on reporting hard figures against the accounting package used by the organisation, then a picture will be provided to the shareholder. However, if other information is available to the organisation that shows that the picture is not complete – for example, that the company’s largest customer has just gone into liquidation or that problems with a supplier means that production of stock is compromised – the report to the shareholders may be misleading. The lack of full disclosure to shareholders is an increasing issue – class actions have been brought against companies that have not disclosed all the information available to them. For example, timber company Gunns in Tasmania has had a class action against it and its CEO about his trading of shares in the business when he was in possession of information that he did not make available to other shareholders. Before the banking crisis hit, financial auditors in the UK and the US missed key information that should have raised greater questions and then more scrutiny of the banks, and have found their processes being questioned by central government bodies. Similarly, the financial rating agencies have been severely criticised for basing their ratings on a subsample of information, again leading to the banks being given clean bills of health where better scrutiny of the available information would have led to different – and probably better – conclusions.

It is far better to move to an environment that has data and information management built-in; one where the various governance, risk and compliance demands placed on an organisation can be dealt with by building a set of rules over the platform, rather than building new platforms every time a new requirement is identified.

Risk profiling

It is a waste of time implementing a GRC platform until the organisation has defined its own risk profile. This may seem like a statement of common sense, but Quocirca finds that many organisations do not have such a profile in place.

An organisation’s risk profile needs to cover several areas, based on the GRC items outlined earlier. Many organisations find themselves in a highly competitive market and will be loath to carry much risk to their brand. Others will be in a highly regulated environment and will not want to carry much legal risk.

However, there is always a balance to be reached – maintaining complete data security is impossible, and whereas basic security can be implemented at relatively low cost, each extra level of security starts to lead towards exponential costs. The same needs to be applied to brand value and any predictable costs of brand damage. Therefore, an organisation needs to identify the point at which expenditure on the solution becomes more expensive than the expected cost of the problem itself.

As an example, let’s look at the issue of the Data Protection Act. In theory, any organisation could be fined £500,000 for a “serious breach” of the terms of the act, along with the threat of prison terms for those involved. There has been some major fines to date – two men trading as Tetrus Telecoms were fined £440,000 for running one of the largest spam-mail systems known using data illegally obtained; the Brighton and Sussex University Hospitals NHS Trust was fined £350,000 after hard drives were found for sale on eBay with sensitive data still on them; and many more fines being in the tens of thousands of pounds level. Fines have been far higher than they were since 2010, when the Information Commissioner’s Office (ICO) was given increased powers in how it could deal with data breaches. In this case, it is worth an average company investing in ensuring that it adheres to DPA regulations – the fine has been pitched high enough to make it hurt should an organisation find itself on the wrong side of the law.

However, compare this with an organisation such as a bank. It may be carrying highly sensitive details of millions of individuals, and if it somehow managed to let all of these details into the public arena by accident, it would face the same fine – a maximum of £500,000. With banks’ profits running in the billions of pounds, this fine can be looked at essentially as a rounding error – the fine will have no material impact on the business. However, the brand would take a massive hit, and it therefore looks like it would still be worthwhile a bank ensuring that its data is securely held. History has shown that retail bank customers are ‘sticky’, however – the majority will still stay with a bank even where

(6)

Governance, Risk Management and

Compliance (GRC)

it has had considerable bad publicity. If the bank can predict closely enough how many customers it is likely to lose and what value they have to the bank, it can calculate how much it should invest in GRC without overspending on the solution.

A similar approach can be seen in telecommunication and utility companies. Here, they are used to a high churn in customers – particularly with telecommunications companies where consumers change provider on a far more regular basis as better device offers and service pricing is offered to them. Therefore, brand value is often based more a price-per-service model (an overall offer that is lower priced than the competition), rather than on a value-add one (what the provider does better than the competition). In this case, many areas of GRC are seen more along the lines of insurance policies, rather than strategic investments – and corners will be cut where the organisation feels that it is happy to carry the risk.

There is also the personal aspect of any breach of legal compliance. Whereas previously, the risk has been carried purely by the organisation concerned, there is now the capability for a court to find the officers (directors and other senior staff) personally responsible for certain breaches. Now, legal compliance around information can result in personal fines or even prison terms – information management has to be taken more seriously.

So, with risk profiling, it is down to an organisation to understand the balance between the hard costs of fines and personal responsibility in any legal sense with the softer risks of loss of customers and investors against the overall cost of any solution that mitigates the problem. Only the business can make this decision – but the IT platform that it depends on should be capable of mitigating the issue as far as possible in the first place.

Each organisation will have to have its own profile – and will then have to choose an overall technical solution that meets the needs of the profile. Again, building a collection of disparate solutions will introduce technical risk leading to business risk in missing out on being able to monitor, measure and report on important areas. However, a cost-effective platform can be put in place that works on identifying, indexing and searching against all available information sources within an organisation and its value chain.

Building a GRC platform

Governance, risk management and compliance revolve around having sufficient control of your information assets. The only way to control information assets is to be in a position to know what those assets are and where they are at any particular time.

Using point solutions such as those aimed at providing DPA, ISO 27001 or PCI DSS compliance will show you what assets you have and where they are as needed by that system under consideration, but will tend to ignore anything that it perceives as being outside of its needs. Therefore, there will be no one ‘system of record’ that can be used to take an overall view of an organisation’s information assets. Therefore, managing the information to meet the organisation’s GRC needs will be far more difficult than it should be, if not impossible.

It is therefore necessary to put in place a capability to identify and index all information that is available and needed by an organisation to meet its overall GRC needs. Streams of data should be identified as to the type of data they are (text, formal data, image, video, voice, etc.) Where possible, implicit information should be teased out, such as through looking at inherent structures to what may appear to be unstructured information, or using the underlying extensible markup language (XML) formats of office documents.

Meta data should be added wherever possible, either through automated tagging based on contextual knowledge of the information (e.g. that it is a picture that came in through a search for a specific item; that it is a voice file that was created through a conversation with a specific customer).

(7)

Governance, Risk Management and

Compliance (GRC)

Classification of data should also be included. The majority of information within an organisation will be of little corporate value, and can therefore be classified “Public”. Some will have a degree of commercial aspect to it, such as agreements between the organisation and a supplier, in which case it should be classified “Commercial in confidence”. Some may be of a higher security level, maybe requiring a “Secure” classification, whereas other data, such as details of mergers and acquisition activity, will only be available to named people and will need a classification of “For your eyes only”.

Interdependencies between applications need to be defined, so that core referential data paths can be identified and tracked. For example, if a customer’s name and address appears in more than one database, then these need to be identified and linked, preferably through the use of master data management (MDM) so that any action taken on a customer’s record is reflected throughout the organisation’s systems. MDM also enables easier ‘cleansing’ of data, with errors across multiple different records, for example “John Smith” and “Jon Smith” being the same person, being more identifiable.

Through indexing all of the information available, reporting then becomes far more easy and effective. Carrying out a search against a fully indexed data store that is also fully classified enables a full view of information that a specific person is allowed to see. For example, the search may result in 1,000 results, but 250 of these are outside of the security level of the person. Therefore, they will either see only the 750 results – or a redacted set of 1,000 results. The problem with only presenting 750 results is that the other 250 may be critical to the decision about to be made. Providing an indication that there is other data available that may impact the decision at least allows the person to refer the decision up to someone who has the security clearance to see the other 250 results.

A major benefit of creating a solid GRC platform is that it enables rules to be put in place for demonstrating compliance in different areas. For example, should there be a need for legal disclosure around demonstrating that the organisation is meeting its data protection requirements, a single rule can be set up that acts against the corporate data set, rather than against each application and information store separately. It also then means that a data protection officer only sees the data that they are allowed to see. The person responsible for reporting on ISO 9000 will only see what they need to see, maintaining internal data policies. The person responsible for producing financial reports will see what they are allowed to see; the HR person what they are allowed to see; the patent officer what they need to see – each without the issues of providing them with more data than they should be able to access.

Conclusions

GRC is becoming more inclusive, as well as more onerous. The legal aspects of not managing information correctly are becoming harsher, with financial and personal penalties being significant. Point solutions aimed at managing single issues, such as DPA solution, an ISO 9000 or a financial information security solution such as PCI DSS, can end up as a set of ill-fitting mismatched jigsaw pieces that actually open the business up to more legal issues than they solve. However, the ‘perception of compliance’ that point solutions provide can lull an organisation into a sense of false security: it may only be when a legal case is brought to bear that it is found that the system is not fit for purpose.

Any GRC platform put in place has to meet the needs of the all the stakeholders involved: employees, suppliers, customers, shareholders, external trade standards and compliance bodies and central government bodies. An organisation has to regard its information as a single resource – any other approach will just lead to information sources being left out from reporting and decision making processes.

A comprehensive GRC platform will not only ensure that an organisation meets its various GRC needs; it will also create an environment where decision making is more rapid and more effective and so provide greater competitiveness in the market.

(8)

About CommVault

A singular vision – a belief in a better way to address current and future data management needs – guides CommVault in the development of Singular Information Management® solutions for high-performance data protection, universal availability and simplified management of data on complex storage networks. CommVault's exclusive single-platform architecture gives companies unprecedented control over data growth, costs and risk. CommVault's Simpana® software suite of products was designed to work together seamlessly from the ground up, sharing a single code and common function set, to deliver superlative Data Protection, Archive, Replication, Search and Resource Management capabilities. More companies every day join those who have discovered the unparalleled efficiency, performance, reliability, and control only CommVault can offer. Information about CommVault is available at www.commvault.com. CommVault's corporate headquarters is located in Oceanport, New Jersey in the United States.

(9)

About Quocirca

Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to provide advice on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but often fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, IBM, CA, O2, T-Mobile, HP, Xerox, Ricoh and Symantec, along with other large and medium sized vendors, service providers and more specialist firms.

Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com

Disclaimer:

This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca may have used a number of sources for the information and views provided. Although Quocirca has attempted wherever possible to validate the information received from each vendor, Quocirca cannot be held responsible for any errors in information received in this manner.

Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented here, including any and all consequential losses incurred by any organisation or individual taking any action based on such data and advice.

All brand and product names are recognised and acknowledged as trademarks or service marks of their respective holders.

REPORT NOTE:

This report has been written independently by Quocirca Ltd to provide an overview of the issues facing organisations seeking to maximise the effectiveness of today’s dynamic workforce.

The report draws on Quocirca’s extensive knowledge of the technology and business arenas, and provides advice on the approach that organisations should take to create a more effective and efficient environment for future growth.