Kgabo Badimo

Many enterprise governance, risk and compliance (eGRC) challenges remain to be addressed.

A recent global study conducted by the Ponemon Institute cites a lack of defined strategy and lack of enterprise co-operation and collaboration as the largest barriers to meeting GRC objectives.

Entitled: ‘The Role of Governance, Risk & Compliance in Organisations’, the results were published in May 2011 and represent global financial services, technology, healthcare and pharmaceutical industries.

According to the survey, although eGRC continues to emerge as a top C-suite priority, only 20% of organisations have a clearly defined eGRC strategy that pertains to the entire enterprise, and 33% admit they have no eGRC strategy at all.

Furthermore, it shows that while eGRC responsibilities are rapidly spreading from the IT epicentre out to the operations, finance and legal domains, collaboration among and between these critical areas is lagging. Only 28% of respondents report that their organisations enjoy frequent collaboration or co-operation among eGRC domains, and 12% admit their eGRC functions still operate in silos.

“These global results are very much in line with what is being seen locally,” explains Karel Rode, EMC’s RSA principal consultant. “One of the biggest challenges South African companies face is the lack of a single view across the enterprise.”

Although the local market has seen an increase in awareness of the importance of GRC over the last six months, Rode maintains that overall acknowledgement is not enough. “This is most likely due to the general perception that GRC is a time-consuming and expensive endeavour, which requires specialised skills to execute and maintain.”

Although this used to be the case, Rode explains that some technology now allows GRC to be rapidly deployed and centrally managed and controlled across an entire enterprise. “To ensure competitive advantage, companies should use GRC tools that can be easily integrated into the existing business without disruption,” he says. “These tools should also encompass all business areas, namely IT, operations, legal and finance, so that enterprise-wide collaboration can be achieved.”

More silos

Karel Rode

According to Kgabo Badimo, divisional MD at Jasco Enterprise Applications, business units are not the only dispersion affecting enterprise GRC. “The South African growing regulatory environment, higher business complexity and increased focus on accountability as a result of King III, have led enterprises to pursue a broad range of governance, risk and compliance initiatives across the organisation,” he says. “However, these initiatives are uncoordinated where risks are interdependent and controls are shared. As a result, these initiatives get planned and managed in silos, which potentially increases the overall business risk for the organisation.” The Ponemon survey further indicates that regardless of their industry, all organisations report that managing privacy regulations by geography and in accordance with country or state laws are a driving factor in their organisation’s move to an integrated programme that supports IT, legal, operations and finance. Respondents identified their top two privacy challenges as: ensuring data shared with third parties will remain safe and secure; and complying with all appropriate regulations.

The span of a governance, risk and compliance process By Kgabo Badimo, divisional MD, Jasco Enterprise Applications Governance is the oversight role and the process by which companies manage and mitigate business risks. The governance process within an organisation includes communication of corporate control, policies, enterprise risk management, regulatory and compliance management and oversight. A governance process integrates all these elements into a coherent process to drive corporate governance. Risk management enables an organisation to evaluate all relevant business and regulatory risks, and controls and monitor mitigation actions in a structured manner. A risk management process provides a strategic orientation for companies of all sizes in all geographies, with a formal process to identify, measure and manage risk. Companies are looking to systemically identify, measure, prioritise and respond to all types of risk in the business, and then manage any exposure accordingly. Compliance ensures an organisation has the processes and internal controls to meet the requirements imposed by governmental bodies, regulators, industry mandates or internal policies. The compliance process enables organisations to make compliance repeatable, and hence enables them to sustain it on an ongoing basis at a lower cost. When an organisation is dealing with multiple regulations at the same time, a streamlined process of managing compliance with each of these initiatives is critical, or else costs can spiral out of control and the risk of non-compliance increases.

To illustrate the dangers an increasingly complex regulatory environment can have on local companies, Badimo refers to the Payment Card Industry Data Security Standard (PCI DSS). “PCI DSS is currently very topical due to an increase of online and contact centre transactions. This standard is meant to provide consumers and customers with peace of mind that their credit card details will not be used for fraudulent transaction.

“The PCI DSS and Acts such as FICA, FAIS, RICA, and Protection of Personal Information (PPI) provide the backbone for the new Consumer Protection Act (CPA) and are integral to its effective execution. As such, it also provides the gateway for the business owner to mitigate his risk.

However, complying with these acts can be onerous and costly, which may hinder contact centres from making the investment. By not complying, this can cost more than the investment, with financial penalties, and can even compromise a business’s reputation.”

Like Rode, he believes that by taking an integrated governance and risk management process approach and deploying a single system to manage the multiple governance, risk and compliance initiatives across the organisation, many of the GRC challenges companies face can be addressed.

“Such an approach can have a dramatic positive impact on organisational effectiveness by providing a clear, unambiguous process and a single point of reference for the organisation, and by providing a ‘single version of the truth’ to employees, management, auditors and regulatory bodies.”

Badimo also agrees that much of the eGRC “headache” can be circumvented through automated solutions. “There are many governance and risk management solutions in the market addressing various aspects of risks in the organisation. In order to articulate what makes a solution a risk management solution, organisations must have an identified and comprehensive set of capabilities and processes of risk management that provides a benchmark to evaluate any solution. It is critical that a compliance and risk management solution must be able to address a wide range of compliance and risk management initiatives.”

Similarly, according to the Ponemon survey results, 90% of the Ponemon respondents believe enabling technologies are essential or very important to achieving eGRC objectives. The applications that are most likely to be deployed to facilitate eGRC-related activities include risk assessment (81%), policy management (75%), controls assessment (73%), incident response and management (68%), and compliance monitoring (63%).

Without enforcement all is lost

Although these results indicate the industry is positive and knowledgeable enough about GRC to effectively mitigate risk, Philip Gerber, MD of Magix Security, believes successful eGRC remains to be seen.

“Historically, there has been little GRC-oriented legislation in SA,” he says. “Only the PPI Act so far is truly set to call companies to action.” Much of the current non-compliance is due to a lack of enforcement, Gerber believes. “Internationally, there are more legislations, and enforcement mechanisms are stronger and more advanced,” he says. “Local companies fail to justify the perceived benefits of GRC against the costs involved, and since we don’t have adequate elements to enforce compliance, the elements of GRC are either ignored, or avoided.”

For instance, to use PCI as an example again, Gerber says local companies will avoid this legislation by either not accepting the credit card as a payment method, or will subscribe to a payment solution that makes a third-party (eg, payment processor) responsible for compliance.

“Legislation is important, but there needs to be proper enforcement mechanisms in place if they are to be complied with locally,” he concludes.