| |||||||||
| |||||||||
Current Filter: Security>>>>>Feature> Sane strategies in risk-infested waters Editorial Type: Industry Focus Date: 11-2015 Views: 10977 Key Topics: Security Governance Compliance Risk Management Standards Legislation Key Companies: Turnkey Consulting Fordway Fujitsu Key Products: ITIL ISO27001 ISO20000 Key Industries: | |||
| What steps does any business have to take to get governance, risk and compliance right - and what dangers might surface along the way? To keep up to date with a constantly evolving compliance environment, companies must know what they are required to adhere to at any point in time. Corporate enterprise risk management must therefore consider both internal and external risks to provide the company with sufficient information to make effective business decisions. Such is the viewpoint of Simon Persin, a director at Turnkey Consulting, who goes on to say: "It is easy for companies to invest a lot of time, cost and energy into shaping very large, cumbersome governance, risk and compliance (GRC) programmes to try to respond to every nuance of each regulation. However, GRC at its most effective allows continuous improvements to the business by protecting it from risk via appropriate controls implemented in their most efficient manner. A good internal controls environment should not add overheads and restrictions that stifle agility, innovation or constrict business performance." This requires keeping the business as the prime focus, at the same time as remaining tapped in to what is changing in the regulatory and governance world. "Seeking out every update or proposed amendment to any given regulation could be a full-time job, so tools that support this task, such as RSS feeds from the regulatory bodies and subscriptions to content feeds provided by other trusted partners, are valuable, because they provide a digest of relevant information." He points to how a clear governance structure, with well-defined organisational roles and responsibilities, shows which part of the organisation needs to take the lead on each risk or opportunity. "Key questions are: 'Whose problem is it?' or 'Who has the compelling action to progress this?' Starting with the business processes, it is important to invest time in identifying risks and classifying them. Failure to undertake this step can lead to controls that are redundant to the business - ie, implementing controls for the sake of it." A GRC system is critical to centralise the business processes, risk and control content alongside a representation of the organisation that operates the various activities, Persin argues. "This provides one version of the truth to all stakeholders, supports the business in understanding exactly which risks and controls are required, and allows management to spot potential overlaps or gaps in the control framework. Automated controls reduce the time required for testing, as well increase accuracy, while further time can be saved, if controls can support multiple regulations."
STANDARDS AS STANDARD
• Its own ethical stance and culture "Being averse to risk can be extremely expensive, but getting it wrong can be even more costly. Overbearing restrictions mean a slow response to changing situations, but too few restrictions can put a business at risk. Each organisation needs to assess its aptitude for risk and ensure its suppliers align with this position. This can only be achieved from discussions with both suppliers and their existing comparative customers [reference sites]. The result should be a cost-effective partnership on agreed standards, and the joint operation of governance, risk and compliance," states Blanford. By way of example, he cites a large IT supplier that will typically have a long and well established compliance process that is extremely secure, but comes at a high cost. "An SME will be more agile and can potentially use its technical expertise on the specific area of work to reach the same goal more quickly. The buyer has to assess whether the resulting risk is acceptable, and find the right balance between risk and restriction, which is where it obtains best value services."
Page 1 2 | ||
Like this article? Click here to get the Newsletter and Magazine Free! | |||
Email The Editor! OR Forward Article | Go Top | ||
PREVIOUS | NEXT |