Resource Management. Compliments of. Published by

Transcription

1 Why Four Professional Essential Steps Services for Building Organizations a Need GRC Improved Strategy Financial and Resource Management Compliments of Published by C U S T O M M E D I A S O L U T I O N S

2 2 Four Essential Steps for Building a GRC Strategy The best Governance, Risk and Compliance strategy addresses compliance, manages risk and provides business insight. It starts with the right IT Infrastructure. In the current economic climate, risk management issues have risen to the top of executives priority lists. Some 85 percent of global enterprises surveyed by Accenture 1 think their risk management capabilities need to change, according to the 2009 study of the risk management attitudes and capabilities. Of the 250 respondents, 42 percent pointed to the need for better integration of risk, finance and business data, while 80 percent say that poor data quality, inefficient reporting and fragmented systems are increasing the cost of risk management. The costs of effective risk management are increasing, according to the Accenture report. The increased cost of risk management is driven primarily by increased business complexity, as well as inefficiencies in systems, data and processes. Building a Governance, Risk and Compliance (GRC) strategy is one of the key tasks of any business leader in the IT space. This White Paper asserts that the most successful models address compliance demands, but also help the corporation manage risk while providing business-level insights throughout the enterprise. This is achieved by tightly integrating IT functions. Step One: Integration Accenture offers advice on achieving high performance through improved risk management functions. Develop more integrated risk management capabilities. Risk management must be institutionalized, integrated and aligned with the operating model of the business. It must offer a holistic view of the enterprise, enabling the identification and understanding of a variety of risks, and then feed that understanding into the growth engine of the company. Improve the quality of information and the frequency of risk reporting. Companies that are more competent in managing risk have a higher frequency of risk reporting to different stakeholders. Risk-adjust the company s performance management processes. Combining risk-adjusted metrics with traditional asset liability management and profitability performance measurements can provide a company with a more balanced view.

3 3 Increase the involvement of the risk function in driving value creation. Accenture believes that companies have an opportunity to employ risk management as a competitive differentiator to create value while also protecting the interests of shareholders and other key stakeholders in a cost-effective manner. Improved compliance is an important goal, but higher goals must also be pursued. Step Two: Coordination Assembling an IT infrastructure that achieves all of these goals requires coordination between business units and the IT department, a process often easier said than done. Some business managers are not convinced of the benefits of implementing a cohesive GRC approach across the enterprise, or are too busy reacting to events that they do not find the time to develop a structured program, according to Khalid Kark, principal analyst at Forrester Research Inc 2. They view risk mitigation simply as the cost of doing business. This creates siloed initiatives that are not only unrelated to each other, but operate in response to risk, not in anticipation of risk. As a result, multiple GRC initiatives get created and are scattered across the organization with little coordination or synchronization between them. Leaders on both sides offer differing views of GRC responsibility. Many view it as a technology play, while others think of it as a business process endeavor. In reality, an effective GRC strategy consists of the right blend of people, processes and technologies working together in harmony, Kark says. Executive management needs to establish appropriate processes to govern, comply and manage risk. Only then does technology become a facilitator to gather, correlate and analyze the information from various parts of the organization and report it effectively. The financial services sector, for instance, faces some of toughest compliance requirements of any industry. Governance, risk and compliance are interrelated issues affecting these organizations. In the past, financial services firms have approached areas of GRC as silos credit, market, operational, legal and regulatory risks operated autonomously of each other. GRC is about organizational collaboration, according to Michael Rasmussen in the Compliance and Governance Digest 3. Today, financial services firms are striving to develop a more integrated GRC strategy that permeates an organization s processes, decisions and culture. That change demands the sharing of information, assessments, metrics, risks, investigations and losses, all in an effort to reduce business uncertainty and produce predictable results. Creating an optimum IT infrastructure to support GRC strategy requires these steps, according to Forrester.

4 4 Step Three: Address GRC on Two Levels The IT organization deals with GRC at two different levels, Kark says. First, it is responsible for establishing its own GRC strategy; second, it facilitates the GRC strategy of other business areas by providing them with the technology to implement theirs and bring sustainability, consistency, transparency and efficiency to business GRC functions. IT also has to manage its own GRC activities. As a functional area itself, IT has to manage a complex web of GRC demands. While the business is demanding that IT help it achieve its goals, IT also needs to manage its own aspects of GRC, including IT controls, privacy, information security, records management and business continuity. Step Four: CIOs Take the Lead Many organizations are looking to their CIOs to not only lead the IT GRC strategy, but be an integral part of the enterprise GRC activities by providing the infrastructure and application support to automate their GRC programs. However, this often results in confusion between enterprise GRC and IT GRC responsibilities. Organizations embarking upon the GRC journey should clearly distinguish one from the other by establishing a clear set of responsibilities and hand-offs. Today, corporations are starting to realize that a mishmash of redundant technologies, information and processes working in silos will lead to inefficiency, increased cost and higher risk to the organization. They have found that inefficiencies, errors and potential risks can be identified, averted or contained by defining controls and then developing enforcement and monitoring to drive process improvements. This has reduced exposure of the organization and ultimately driven better business performance. However, these business managers have found that this positive impact can only be realized if the organization has done its homework and put significant effort into developing the appropriate processes and then implementing technology to implement those processes. The Solution SAP and Novell have expanded their partnership 4 to focus on GRC issues. The partnership combines SAP s business process background, including elements from the BusinessObjects portfolio, which SAP acquired in 2007, with Novell s security and compliance expertise to provide a full GRC solution. The result of this partnership is the Novell Compliance Management Platform extension for SAP environments, which includes identity management and security management products that offer certified integration with SAP. Based on feedback from customers and partners, the companies will release a new version of the Platform in 2010 that will integrate with other products in the SAP BusinessObjects portfolio.

5 5 Together, SAP and Novell deliver agility, transparency and accountability to customers with a combined GRC offering that is unmatched in its support of end-to-end business processes and IT environments, providing quick time-to-value with certified integration and targeted solution offerings. The result is reduced risk, lower costs and improved business performance. The collaboration between Novell and SAP delivers performance not only by improving predictability, but also by automating and enforcing common controls and providing transparency to business processes across the enterprise. It also delivers assurance by lowering overall risk and increasing external and internal compliance. Users benefit from simplification by eliminating resource silos and inefficiencies and by automating the process of discovering and remediating high-risk business problems. With growing security threats and increasing regulatory oversight, companies need seamless integration of their governance, risk and compliance management solutions across the entire IT landscape, says Fiona Williams, partner, Deloitte & Touche LLP. Too many companies have created silos where audit and governance processes are duplicated at great expense in terms of both IT costs and human capital. The marriage of solutions from SAP and Novell enables companies to improve performance. Customer Focus As a highly ranked global airline, we must meet strict safety requirements in order to demonstrate regulatory compliance, said Peter Brueggemann, director, IT Technologie, and chief security officer, Deutsche Lufthansa AG. We are pleased that Novell is collaborating with SAP so that we can streamline the management of security and compliance policies across our SAP and non-sap environments. This partnership provides to us a secure way to grant employees and partners access to our enterprise systems while also reducing our risk exposure. Conclusion The most successful Governance, Risk and Compliance strategies not only address compliance demands, but also help the corporation manage risk while providing businesslevel insight throughout the enterprise. This is achieved by tightly integrating IT functions. The goal of the SAP and Novell partnership is to simplify GRC by helping companies eliminate resource silos and inefficiencies. This is done by automating both the discovery and remediation of compliance issues. In these economic times, that s more important than ever.

6 6 Sources: 1 Managing Risk for High Performance in Extraordinary Times: Report on the Accenture 2009 Global Risk Management Study. Insights/By_Subject/Finance_and_Performance_Mgmt/Risk_Management/ManagingStudy. htm 2 Forrester: The Role of Technology in Establishing a GRC Program 3 Key Characteristics of a Federated GRC Strategy, Michael Rasmussen, 4 Novell/SAP Announcement.

7 7 About Novell Novell, Inc. (Nasdaq: NOVL) delivers the best engineered, most interoperable Linux platform and a portfolio of integrated IT management software that helps customers around the world reduce cost, complexity and risk. With our infrastructure software and ecosystem of partnerships, Novell harmoniously integrates mixed IT environments, allowing people and technology to work as one. For more information, visit