Predicts 2011: In the 'New Normal,' Governance, Risk Management and Compliance Are Inseparable From Business Realities

Transcription

1 Research Publication Date: 17 November 2010 ID Number: G Predicts 2011: In the 'New Normal,' Governance, Risk Management and Compliance Are Inseparable From Business Realities John Bace, Jeffrey Wheatman, Tom Scholtz, Julie Short, Betsy Burton, French Caldwell In a volatile worldwide economic environment, governance, risk and compliance (GRC) are evolving from a technology-centric approach to one interwoven with business requirements, contextual metrics and even social sciences. IT professionals involved with GRC need to move beyond technology in their approach to meeting rapidly changing mandates and managing complex and unpredictable risks. Key Findings The once-prevalent view of IT governance as a stand-alone entity, distinct and separate from corporate governance, is fading fast. Attempts to implement explicitly algorithmic and quantitative methods for risk assessment are usually unsuccessful, because they are contradictory to how humans interpret, assess and react to risk. Focusing on security and risk metrics without providing context undermines the goal of conducting risk management as a strategic business function. Regulators are placing more emphasis on enterprise risk management (ERM), challenging companies to be much more analytical with their statements of risk to stated business objectives. Recommendations Ensure that IT governance standards, practices and programs are aligned with corporate governance, and seek to achieve the enterprise's business objectives. Investigate relevant social sciences, such as psychology and sociology, for techniques and insights to use in developing, implementing and justifying the value of security and risk management programs. Develop a security and risk management portfolio catalog to demonstrate the areas where security provides functional benefits. Make GRC key considerations when defining architecture principles, focusing not only on the technical and solutions architecture, but also on business and information Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner's prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner's research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner's Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see "Guiding Principles on Independence and Objectivity" on its website,

2 WHAT YOU NEED TO KNOW The near-collapse of the world economy in September 2008 caused some enterprises that were considered "too big to fail" to do exactly that, and others to be saved only by huge infusions of cash from central banks and governments. Now, an avalanche of new and forthcoming regulations requires that the enterprise weave GRC tightly around the core mission of the business. STRATEGIC PLANNING ASSUMPTION(S) By 2014, enterprises will make no distinction between IT governance and corporate governance. By 2015, 25% of large enterprises will have personnel assigned to using social sciences techniques in their risk management programs. By 2014, security and risk organizations that do not report SLA-based metrics will see budgets and head counts fall. ANALYSIS Strategic Planning Assumptions Strategic Planning Assumption: By 2014, enterprises will make no distinction between IT governance and corporate governance. Analysis By: Julie Short, French Caldwell, John Bace and Betsy Burton Key Findings: Recent governance developments, including the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act, the King Code and Report on Governance for South Africa (King III), COBIT 5.0, and new regulatory oversight in the U.S. and the U.K. have increased the focus on boards of directors' responsibilities for oversight of risk management and shareholder/stakeholder rights management. These responsibilities are under close scrutiny, and this impacts IT organizations, just as it does any other part of the business. Board of directors are becoming increasingly conscious of their IT governance responsibilities, and are increasingly recognizing that IT is part of the business and, therefore, is subject to the same principles that apply to corporate governance. For these reasons, the treatment of IT governance as a stand-alone entity distinct and separate from corporate governance is fading. One consequence is that the number of material weaknesses reported under the U.S. Sarbanes-Oxley Act as attributable to IT has already declined markedly. Market Implications: The increased focus on IT governance as an element of corporate governance is one of the first practical examples of the wall between business and IT coming down. Business and IT practices and roles are becoming blurred, and so are their goals and strategies. Business goals and strategies must be the first consideration, and every other goal and strategy must be aligned with them. As a result, increasing importance is being placed on issues such as IT managers' roles in business strategy, the roles of the board and senior corporate management in IT strategy, enterprise architecture (EA), project and portfolio management, and IT investment processes, among many others. Executive management and IT must take notice of this development and respond accordingly. Recommendations: Publication Date: 17 November 2010/ID Number: G Page 2 of 7

3 Suspend any IT governance program planning or projects that are in development, and ensure that any IT governance definitions or principles reflect corporate governance principles. Executive management must evaluate where the responsibility for risk lies. It is no longer only a business or only an IT issue. Use the same business objectives for IT governance and for corporate governance. Develop business- and IT-related "bridging" skills and expertise, including: Related Research: Industry-specific knowledge ERM capabilities Regulatory expertise jurisdiction-specific Business capability modeling skills Simulation and scenario-planning skills Understanding Pattern-Based Strategy "Translation" capabilities that can reflect business and IT perspectives "Dodd-Frank: New Financial Reform Rules Are Not Just for Banks" "Toolkit: Statement of Governance, Risk and Compliance Principles" "New Banking Regulations: Assessing the Future and IT Planning" "Market Insight: An Investment Services Industry Primer, 2010" "Corporate Living Wills: The Potential Revolution in Banking and Technology" "What IT Leaders Should Know About Liquidity Risk Management Regulations" "IT Governance Must Be Driven by Corporate Governance" "EA Governance: Move Away from Command and Control" Strategic Planning Assumption: By 2015, 25% of large enterprises will have personnel assigned to using social sciences techniques in their risk management programs. Analysis By: Tom Scholtz Key Findings: The business typically does not consider risk and security management a value add. For this reason, practitioners must develop relationships that enable them to link their work to the drivers that are prevalent in the enterprise and they must understand the nature of organizational politics. Most of their colleagues, especially senior managers and executives, have personal ambitions, agendas and power bases. Cultural and behavioral change is traditionally driven from the top down in organizations, and the understanding and use of political dynamics via personal relationships, wherever possible can become powerful strategic tools. The rise of social collaboration software is changing this in some organizations, hence some change techniques will have to be applied in and through social software. Accordingly, security practitioners will need to develop technical skills in using such software. Publication Date: 17 November 2010/ID Number: G Page 3 of 7

4 Many security practitioners view risk management as a remedy that will enable them to improve relations with the business. However, attempts to implement explicitly quantitative methods of risk assessment run counter to how humans interpret, assess and react to risk. Risk interpretation and assessment are subjective and personal. Most risk and security management programs do not have the resources to immediately adopt social-sciences-based practices. Initially developing these skills and techniques should be an incremental process undertaken during a three-to-five-year period. Not all efforts will initially be successful; with experience and practice, organizations will improve results over time. Market Implications: Organizations that fail to investigate and leverage the basic principles of the social sciences as they relate to individual and group behavior will fail to mature their risk and security programs beyond Level 3 on the Gartner maturity scale. Such organizations will not anticipate the varying reactions of individuals to risks and controls, and thus will remain stuck in a never-ending reactive cycle of trying to corral user behavior through ever more complicated controls. Recommendations: Investigate relevant social sciences (such as sociology and psychology) for techniques and insights that can be applied to your risk and security management program. Use the principles of sociology, psychology and politics when interacting with the rest of the enterprise. Related Research: "Security and Risk Management as a Social Science" "Controlling Staff Behavior Takes More Than Technology" "No More Dr. No: Developing a Strategy for Business-Aligned Information Security" "15 Common IT Risk Management Pitfalls" Strategic Planning Assumption: By 2014, security and risk organizations that do not report SLA-based metrics will see budgets and head counts fall. Analysis By: Jeffrey Wheatman Key Findings: Gartner continues to see security and risk organizations developing tactical metrics and reporting them without context. This approach may help them manage operational activities, but it does not facilitate the goals of risk management as a strategic business function. Reporting on raw data with no context and no indications as to trending upward or downward provides no real value or indication of the benefits of the organization's activities. Moreover, without the interaction and feedback that result from a security governance process, security practitioners have no idea whether they are successfully supporting the goals and initiatives of their business constituents. Developing SLAs is an ongoing process that requires multidirectional communication among IT, security and the business, and also requires that security and risk leaders create and publish service catalogs for their stakeholders. Developing SLAs can be very challenging, but organizations that do not map their metrics and reporting activities to the business's activities will continue to be viewed as a cost center, resulting in a loss of focus on security as a business problem and decreasing budgets both operational and capital. ITIL, particularly v.3, has been instrumental in developing and socializing the concept of service portfolio creation and SLA-based metrics, and can be leveraged by enterprises already using ITIL for service delivery. For enterprises that don't use or plan to use ITIL, it can be challenging to Publication Date: 17 November 2010/ID Number: G Page 4 of 7

5 implement only the security piece, but the concepts can be used as a guideline for developing their SLAs for security services. Market Implications: SLAs are powerful tools that provide strong indications that security and risk professionals are committed to supporting risk management efforts associated with business goals, while identifying residual risk thresholds and managing risks appropriate to the systems and assets being protected. Security organizations that report detailed, technical and tactical metrics will continue to be viewed as a cost function that has received significant focus and funding with no visible proof of improvement. Senior management will see an opportunity to cut costs from an area that seems to provide no business benefit. Recommendations: Develop a security and risk management service portfolio catalog to identify areas where security provides functional benefits. Leverage the security governance process to identify key stakeholders, and facilitate the creation of business- and risk-appropriate service levels. Pilot a preliminary set of SLAs, and begin to develop metrics to identify the success of the security organization's activities and expenditures. Look to ITIL for guidance on creating service portfolios and SLA development for security and risk activities. Related Research: "The Do's and Don'ts of Information Security Metrics" "Q&A: How to Close the Gap Between Information Security and IT Risk Management" "Introducing the Gartner Information Security Governance Model" "The Fundamental Starter Elements for IT Service Portfolio and IT Service Catalog" "Leverage ITIL v.3 to Integrate Information Security With the IT Service Management Life Cycle" A Look Back In response to your requests, we are taking a look back at a few key predictions from previous years. We have intentionally selected predictions from opposite ends of the scale one where we were wholly or largely on target, as well as one we missed. On Target: 2007 Prediction By 2010, more than 50% of heavily regulated companies will have made the decision to create an ERM program. (From "Predicts 2007: Building Business Value With Risk Management, Ethics, Governance and Compliance") This prediction was published in 2007 just as the hype over Sarbanes-Oxley compliance was beginning to wind down. At that time, many organizations were starting to take a risk-oriented approach to compliance using risk assessments to focus on key controls where the risks were highest. Risk assessments for compliance also provided insight into potential improvements in performance. At the same time, credit rating agencies, Standard & Poor's in particular, began to include ERM programs as an element in their analysis of companies' credit scores. In 2008, the financial crisis further raised the profile of risk management competence, with poor risk management being blamed in part for the failure of leading banks. Since 2008, regulators in Publication Date: 17 November 2010/ID Number: G Page 5 of 7

6 the U.S. and the U.K. increased focus on companies' reporting on ERM. In the U.S., new rules from the Securities and Exchange Commission (SEC) require reporting on the board's role in risk oversight. The 2009 IBM CIO survey shows risk management and compliance as the thirdhighest priority for CIOs. A 2010 survey by the Federation of European Risk Management Associations shows compliance and legal requirements as the primary triggers for improving risk management, followed by shareholders' requirements. A Gartner survey in 2010 shows that the majority of companies that implement enterprise GRC platforms are using them for ERM. Missed: 2008 Prediction Through the end of 2010, challenges surrounding the process of e- discovery, including excessive cost and the inability to produce electronically stored information (ESI), will deter almost 50% of enterprises from seeking traditional legal remedies. (From "Predicts 2008: Governance, Risk and Compliance Are Critical Issues for Security Professionals") This prediction was published just one year after the 2006 Federal Rules of Civil Procedure (FRCP) amendments regarding ESI went into effect. It was an extremely confusing time, as lawyers and judges needed to digest and apply only the third set of changes to the rules regarding technology in more than 70 years of the FRCP. The cost of discovery that first year was astronomical, and the results often were anything but predictable. One member the U.S. Supreme Court warned that those with matters to settle would turn to other venues to seek satisfaction (see "Cost of E-Discovery Threatens to Skew Justice System"). One very large international law firm that conducts an annual litigation trends survey with thousands of enterprises in the U.S. and U.K. found a huge number of organizations turned to alternative dispute resolution (ADR) and arbitration in Its 2010 survey finds that in the U.S., the use of arbitration is one-half the levels of 2007, and in the U.K. almost one-third, while in both countries the expectation of traditional litigation continues to grow. The venue the law firm cites will be the traditional court system, where predictability and transparency are consistent and decisions set legal precedent. One area where ADR is growing is in international arbitration, mostly to deal with conflict-of-laws issues, where common laws regarding discovery are often contrary to privacy statutes. RECOMMENDED READING "Dodd-Frank: New Financial Reform Rules Are Not Just for Banks" "Toolkit: Statement of Governance, Risk and Compliance Principles" "New Banking Regulations: Assessing the Future and IT Planning" "Market Insight: An Investment Services Industry Primer, 2010" "Corporate Living Wills: The Potential Revolution in Banking and Technology" "What IT Leaders Should Know About Liquidity Risk Management Regulations" "IT Governance Must Be Driven by Corporate Governance" "EA Governance: Move Away from Command and Control" "Security and Risk Management as a Social Science" "Controlling Staff Behavior Takes More Than Technology" "No More Dr. No: Developing a Strategy for Business-Aligned Information Security" "15 Common IT Risk Management Pitfalls" Publication Date: 17 November 2010/ID Number: G Page 6 of 7

7 "The Do's and Don'ts of Information Security Metrics" "Q&A: How to Close the Gap Between Information Security and IT Risk Management" "Introducing the Gartner Information Security Governance Model" "The Fundamental Starter Elements for IT Service Portfolio and IT Service Catalog" "Leverage ITIL v.3 to Integrate Information Security With the IT Service Management Life Cycle" REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT U.S.A European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo JAPAN Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, andar World Trade Center São Paulo SP BRAZIL Publication Date: 17 November 2010/ID Number: G Page 7 of 7