Management, compliance & auditing

To Reduce Risk, De-emphasize “C” and Focus on “G”

By their nature, business endeavors involve various elements of risk. These elements may include technological, commercial, legal, financial, and environmental risks.

As technologies evolve, businesses become global and regulations more pervasive, the level of risks facing organizations grows exponentially and the challenges become ever more complex.

Organizations have long sought frameworks for risk management to help them identify events or circumstances which might be harmful to their objectives, assess them in terms of likelihood and magnitude, and formulate a response strategy.

GRC is the acronym that has been applied to this discipline. GRC tools aim to provide a framework that can help organizations coordinate their Governance, Risk management and Compliance efforts. A number of major software vendors have identified GRC as a significant opportunity and have developed tools and technology platforms to meet that demand.

However, the software companies and their prospective customers clearly do not value the two critical elements of risk management equally. The marketing efforts of the large GRC vendors and their customers' internal justifications for purchasing these platforms focus more on Compliance Management ("C") and not enough on Governance ("G").

One only need look at the web sites of the most prominent GRC vendors to recognize this imbalance. Here are several quotes from a variety of vendors demonstrating this bias:

"Integrated risk management, sustainable regulatory compliance - A Strategic Path"

"Manage risk and compliance across multiple regulations, including Basel II, Solvency II, SOX and SOX-like requirements, financial reporting, data privacy, industry regulations"

"Compliance is easy to quantify. Quantifying a risk – which may or may not happen – isn't so straightforward. But companies that tackle both in a timely manner are the ones that succeed."

"Manage risks, enforce and demonstrate compliance, and automate business processes."

But we have learned from recent events that a narrow focus on compliance does not lead to an overall reduction in risk.

The clearest examples are in the retail space where the largest retailers (Target, Home Depot, et al.) had extensive PCI compliance programs, yet were shown to be extremely vulnerable to hacking and network infiltration.

Similar situations have occurred in the financial sector. JP Morgan lost $6 billion dollars on a rogue derivatives trade, and a number of other major banks were implicated in a scheme to manipulate the LIBOR interest rate. These events transpired despite the fact that all of the banks involved had extensive compliance programs.

Compliance tools, by definition, were created to ensure that institutions abide by the rules governing their respective industry. The paradox of compliance management, however, is that for organizations which rely on rules alone to deter misconduct, there exists a strong danger that they will be ignored, and that workarounds, backdoors and loopholes will be found and exploited. Too many organizations have built environments where responsibility for decisions lies less on the individual and more on the passive back office compliance systems.

To reduce risk more effectively, organizations should adopt a more active approach than simply relying on compliance standards. Instead, companies should focus more on the Governance components of the tools that their GRC vendors supply. These "G" components can help organizations implement good policies and, in turn, better enable them to define ethical behavior, underscore punishments and deterrents to improper actions, and be used to hold parties accountable.

By creating effective policies, implementing awareness training and testing programs, and consistently monitoring the overall process, an organization can build an infrastructure to support ethical decision making, which, after all, is the fundamental way to reduce risk.

Modern business organizational structures have evolved from command and control to more decentralized decision making models. This is a result of globalization, economic imperatives and improved technology. Consequently, many layers of middle managers have disappeared, leaving front line employees more responsible for their own actions and how those actions impact the organization as a whole.

GRC vendors should take the lead in demonstrating to companies how "G" can be more important than "C" in creating an effective risk management program. By marketing their products to show how this approach generates improved employee behavior, vendors can present themselves to companies as a resource to foster an ethical corporate culture. True reduction in risk comes from all employees having a common understanding of corporate expectations and taking ethical actions which advance the mission of the organization.

Ken is the founder of Kaliber Data Security helping businesses improve their Information Risk Management programs with the conviction that IT Security is not merely a technical issue, but rather a process that involves employees at all levels of an organization and is integral to business success.