GRC Journal - (Page 64) Tackling the Information Challenge used to do this integration and correlation as a manual process. This means going into disparate systems that are at various stages of their lifecycle to access information and then correlating that information for daily, weekly, monthly or quarterly GRC reporting activity. This puts a tremendous amount of manual overhead into the GRC process. It becomes even more complicated when you actually have to correlate the information from those systems in real-time, which is much more difficult. The more systems there are, the more complicated it becomes – and at that point, it is almost a problem of geometric proportions. You highlight a very interesting point that there is actually a tremendous amount of manual effort that is undertaken to try to turn data into information. We are using humans as the middleware because the IT architecture isn’t in a situation where you push the button and get the information you need. Holly, SAP serves tens of thousands of customers with software, and yet so many of the customers are in the situation where the production of information and the gathering of data and information is still very manual-intensive. Do you see this as an issue that your customers are looking for help to address? HR: It definitely is an issue that our customers are asking us to address. As you mentioned earlier, the technology certainly exists. There are things like data warehouse technology, master data management (MDM) technology and document management systems. Part of the problem comes down to people in the processes as well as the lack of proper IT systems being available within the systems. There must also be a strategy in place around those systems to enforce that information is always of high quality and that everyone is working from the same source. There is a “people in process” aspect, and what is important is the need to have someone responsible for information quality and information governance. There is only one person (CIO) that has information in their title, and they are not responsible for information quality; they are responsible for running the systems. What are your observations on the need for responsibility and clarity around the processes that relate to information? EG: I see that as a real issue that we are struggling with every day. People need to understand that information quality isn’t IT’s responsibility; it is the user’s. Getting people to change their habits is a real challenge for us. It is extremely difficult to get the users to understand that they own the processes and information. It is their responsibility to make sure that the information is high-quality and usable. Is it unique to any one industry segment? Is it just in the corporate world or is this something that affects enterprises of all types? JM: This is probably one of the most pervasive issues. If there is one thing we’ve seen bubble up to the surface almost immediately, it is the proper governance of the information itself. That really has to do with security and privacy – and not just data privacy, but the policies for collective information use. If you look at any enterprise, business, government organization, and certainly any organization that reports publicly, you will find the need for complex and comprehensive security policies that go well beyond simple firewalls and access protection devices. Whether it is handling sensitive data – such as credit card transactions, social security numbers, or sensitive intellectual property – the information and the transactions must be secure. You bring up an issue around information governance, which is the protection of intellectual property and private confidential data. Ed, on an earlier podcast that we did, we had your CIO on and I asked him what utopia would look like. One of the things that he shared with us was that he would like to know whether there had been an information breach or a violation of policy with regards to confidential or private information when it happens – not finding out six months after it happens through an audit done by people. This is something that resonates inside your organization, isn’t it? EG: Very much so. We are looking into ways of how we can identify those types of violations to policies in more of a real-time perspective. If notification happens six months after the fact, it is too late. Good information management requires putting the processes and procedures along with the people that have the ability to do real-time monitoring. That is a very costly initiative, but it is something that is becoming more of a priority for organizations to look at and address. We are looking very closely at how we can take a proactive approach to identifying and monitoring violations as they happen, instead of after the fact. Holly, I know you are involved in SAP’s GRC business unit, and GRC is fundamentally about information. How do you see the intersection of the process and software working to improve the availability? How do you see the aspect of real-time information in the right hands at the right place evolving over time? HR: I think it is definitely a component of the right information at the right time and place. However, I would say that a lot of strategy needs to start with the control framework and risk management framework they want to put into place to establish their ability to manage by exception. If information isn’t of the quality that is needed or information is going to be hampered by erroneous or malicious intent on the part of a particular user, you want a system that can monitor for those situations and raise alerts very quickly to let you know that the controls framework is being violated. 26 Business Trends Quarterly Technology Solutions. Business Strategy.
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.