What 2011 Holds in Store for Your GRC Program – Five Predictions

It’s certainly not news that 2010 has been a tough year for organizations looking to establish and maintain an effective GRC program as they face the ongoing challenges of balancing GRC obligations with budget and resource constraints. In 2011, as the number of applicable regulations and standards increase and organizations look to protect themselves against security breaches, I expect the importance of GRC to increase in the coming year.

So, where should your organization start? The following are my five predictions for what 2011 hold in store for your GRC program.

• Prediction #1 | Greater Focus on Risk Management Capabilities

Although many pundits have predicted more focus on risk management for years, in my discussions with clients, I haven’t really seen it in action. Quite simply, even if organizations purchase a GRC technology with the expressed goal of improving risk management efforts, compliance has tended to predominate, as the simpler and more achievable objective.

However, I’m going to go out on a limb to call 2011 as the year risk management finally surpasses compliance as the top GRC initiative. I’m willing to make this leap for a couple of reasons: compliance maturity and client requests. I believe the majority of organizations have matured their compliance processes enough to move on to other objectives. In addition to compliance maturity, I’m seeing more and more clients asking how to get the most out of TruComply’s risk management capabilities – TruComply being ANX’ GRC technology.

- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
Malware Security Report: Protecting Your Business, Customers, and the Bottom Line
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -

Hopefully, as organizations mature their risk management capabilities, they will find that their compliance program has not only resulted in controls that meet regulatory requirements, but these same controls also mitigate a significant degree of business risk.

• Prediction #2 | Redeployment of Internal Resources

According to recent studies, risk and compliance functions spend the majority of their time on tactical administrative tasks. Indeed, studies show that as much as 62% of effort is spent on data collection versus 36% on analytics/risk mitigation, and 2% on other tasks.

I’ve found that when tactical activities dominate a program, there are 3 main issues that arise – audit fatigue, low value outcomes, and low level of executive participation.

Audit fatigue: Let’s face it – facilitating an assessment process is a tedious and thankless job. Participants have a day job they are trying to complete and the assessment interferes with that day job. If an assessment is bogged down in tactical activity, everyone loses patience.

Low value outcomes: The real value of an assessment comes out of the strategic activities – analysis and risk mitigation. If the tactical effort is all-consuming, the analysis and remediation usually gets shortchanged, leaving the organization with a feeling that all their work was wasted.

Low level of executive participation: Tactics do not interest executives, particularly if multiple meetings become consumed with process updates versus insight about the business gleaned from assessment findings. Executives tend to start looking for excuses to not come to the next meeting.

In 2011, leading organizations will reverse these percentages, with more focus on strategic activities, through enhanced GRC workflow capabilities – such as better delegation and definition of controls – and in some cases, GRC outtasking. In GRC outtasking organizations outsource process management to a third party like ANX and retain decision making and remediation in-house.

• Prediction #3 | Self-Service for Greater Efficiency

GRC staff such as risk, compliance, internal audit, and security personnel define the rules of the game and referee but line managers execute the majority of GRC activity. In 2011, leading organizations will empower line managers with the technology and corporate-approved processes and content they need to plan and execute their own GRC initiatives, ultimately reducing the cost of GRC and blending it more seamlessly with the organization.

I believe that organizations who adopt such a decentralized approach in 2011 will reap a number of advantages, including lower overhead costs, a better adoption of the GRC philosophy as an integral part of corporate culture, and better knowledge transfer of GRC concepts and control knowledge to line management – all resulting in a deeper, richer GRC program.

This may be threatening to GRC staff at first, as they turn over activities they’ve traditionally performed to line management. However, at the end of the day, the GRC challenges that need to be addressed are nearly endless. The truth is there is a lot more work that needs to get done. Delegation and decentralization will allow GRC staff to get off the tactical program maintenance treadmill and move on to new risks and compliance challenges the organization faces.

• Prediction #4 | Increase Use of Contract / Vendor Management

As regulatory requirements expand, usage of the ‘cloud’ and SaaS technologies grows, and the number of obligations imposed by business partners increase, 2011 will show that leading organizations will need to utilize an enterprise-wide vendor risk management process and control library. I believe we will see an upward trend in organizations using standard vendor assessments and leveraging industry frameworks, such as UCF, BITS, and HyTrust.

• Prediction #5 | SaaS Overtakes Software

It’s no secret the traditional favorite of clients is to implement an on-premise solution. However, in 2011, more than 50% of new implementations will leverage a SaaS delivery model for GRC. In today’s economy, when organizations are able to take advantage of lower operating costs, faster time to value, less implementation risk, more flexibility, and less vendor risk when adopting a SaaS model, I don’t believe the above statement is so far off.
At the end of the day, 2011 will definitely be an exciting year for GRC programs.

ANXeBusiness Corp.

About ANXeBusiness Corp.

ANXeBusiness is a technology company focused on providing managed services that enable secure collaboration within and between enterprises. The company's services include Managed Security Services, Transaction Services and Lifecycle Management Services. Service capabilities are delivered using a cloud-based, multi-tenant delivery model with gold-standard service levels.

, ,

No comments yet.

Leave a Reply


*