Current Filter: >>>>>>

   

Such is the viewpoint of Simon Persin, a director at Turnkey Consulting, who goes on to say: "It is easy for companies to invest a lot of time, cost and energy into shaping very large, cumbersome governance, risk and compliance (GRC) programmes to try to respond to every nuance of each regulation. However, GRC at its most effective allows continuous improvements to the business by protecting it from risk via appropriate controls implemented in their most efficient manner. A good internal controls environment should not add overheads and restrictions that stifle agility, innovation or constrict business performance."

This requires keeping the business as the prime focus, at the same time as remaining tapped in to what is changing in the regulatory and governance world. "Seeking out every update or proposed amendment to any given regulation could be a full-time job, so tools that support this task, such as RSS feeds from the regulatory bodies and subscriptions to content feeds provided by other trusted partners, are valuable, because they provide a digest of relevant information."

He points to how a clear governance structure, with well-defined organisational roles and responsibilities, shows which part of the organisation needs to take the lead on each risk or opportunity. "Key questions are: 'Whose problem is it?' or 'Who has the compelling action to progress this?' Starting with the business processes, it is important to invest time in identifying risks and classifying them. Failure to undertake this step can lead to controls that are redundant to the business - ie, implementing controls for the sake of it."

A GRC system is critical to centralise the business processes, risk and control content alongside a representation of the organisation that operates the various activities, Persin argues. "This provides one version of the truth to all stakeholders, supports the business in understanding exactly which risks and controls are required, and allows management to spot potential overlaps or gaps in the control framework. Automated controls reduce the time required for testing, as well increase accuracy, while further time can be saved, if controls can support multiple regulations."

STANDARDS AS STANDARD
Fordway MD Richard Blanford singles out standards as the starting point for GRC, including implementing best practice frameworks, such as ITIL, which can now be formally accredited to ISO20000 for service management and also align to ISO27001 for security management. "However, an organisation needs to be innovative in how it manages risk to differentiate itself against its competitors and respond to changing markets, while providing lasting assurance to its customers," he adds. This means considering three factors:

• Its own ethical stance and culture
• The legal and potentially moral frameworks it operates in, which vary greatly across jurisdictions and even within 'standardised' trading blocs such as the EU
• Its security requirements and appetite for risk.

"Being averse to risk can be extremely expensive, but getting it wrong can be even more costly. Overbearing restrictions mean a slow response to changing situations, but too few restrictions can put a business at risk. Each organisation needs to assess its aptitude for risk and ensure its suppliers align with this position. This can only be achieved from discussions with both suppliers and their existing comparative customers [reference sites]. The result should be a cost-effective partnership on agreed standards, and the joint operation of governance, risk and compliance," states Blanford.

By way of example, he cites a large IT supplier that will typically have a long and well established compliance process that is extremely secure, but comes at a high cost. "An SME will be more agile and can potentially use its technical expertise on the specific area of work to reach the same goal more quickly. The buyer has to assess whether the resulting risk is acceptable, and find the right balance between risk and restriction, which is where it obtains best value services."

Page   1  2