GRC Journal - (Page 65) Governance, risk & Compliance There are many types of information, and one of the questions that I hear most often is, “How should we govern information?” “Who should be responsible for the information strategy as opposed to the IT strategy?” The importance of having governance puts us in a situation where no one is responsible, but everyone is responsible. What are your thoughts? EG: We need to establish an enterprise-wide view of governance. What I see is that everyone looks at this as a piece-meal approach. With IT governance, you have the Chief Privacy Officer focused on privacy, a Chief Security Officer focused on security and a variety of people in charge of various compliance areas. To me, it is an enterprisewide approach that needs to be created. In a sense, senior management needs to put together an enterprise-wide governance organization that addresses all of these factors and can take them in as a whole, while understanding the risks. We are looking to figure out how to do this at our company, and we see it all the time with our customers as well. That’s really what is new here: taking it up to that level and figuring out what the information needs are in order to run the enterprise as opposed to an individual function, business unit or geography. I hear part of what you are saying is that we need to involve multiple stakeholders in the governance. Is that a conclusion that you’ve come to? EG: Exactly, and it’s a conclusion that a lot of our customers are coming to as well. Frankly, I don’t think this is much different than it was 15 or 20 years ago when we were looking at security or various other compliance areas, such as privacy. Now we are looking at governance from an enterprise-wide perspective and it’s just an evolution that everyone goes through. There are many barriers to this transition, including changing the culture inside an organization and instilling ownership for information quality with every employee. Eventually we’ll get there, but it will definitely be painful along the way. Where should the responsibility sit, and how can we get accountability for information governance? JM: I think the most successful programs start by establishing a GRC framework so that the decision-makers have a common language and common information structure for policy management. I’m not talking about an IT structure, but rather an operating framework that allows the process owners to maintain overall governance for their business or function while coordinating across systems to comply with specific or multiple regulations. If there is a GRC framework with a common language and process, then multiple functions can agree on the set of policies that must be enforced across the enterprise and how the information will be shared. Otherwise, it is nearly impossible for the IT organizations to know what they actually have to design and implement to support the GRC systems. Currently, all of the lines of business or functions have their own applications and system process silos. However, once the framework is established, the participating functions can come to closure on how information will be managed and who will be responsible for the information at various points in the process. Then IT can build or integrate the GRC systems in a more holistic way. HR: I agree with the fact that the owner must be a crossfunctional owner who is coming from the business side so that they can understand the business needs to guide the CIO’s organization as to what to build. Our research has shown that though different companies are organized, there is an ascendancy of the CFO into the No. 2 position in the organization. Effective CFOs start to become the steward of key information that helps the lines of business make effective decisions to grow the company. It seems like the logical person that this fits under would be the CFO. Clearly, the CFO can’t do it without the CIO, so they will have to work hand-in-hand. However, I see the CFO leading the initiative with the advice and guidance of the CIO. We are seeing that as well. Among the senior executives, the CFO has the best position to have an interest in multiple types of information. While it needs to be multifunctional, the CFO may be playing the role of catalyst, if nothing else. I think we all agree that there is a pervasive challenge, and I think that through our work with our customers in our own organizations, there is a desire to improve the ability to produce the information we need as well as the quality of the information. What types of things are on the roadmap to improve information governance? What should people look to do first? EG: The way I would approach it is to start with an assessment to initiate the project, understand the scope, set objectives and define the business drivers. From an enterprise-wide level, we need to have an understanding of what we are trying to accomplish; policy and procedure, and risk assessment are all critical components to understanding the requirements of the organization and each stakeholder has a different and siloed view. They all need to to come together into one single strategy. I don’t think people have a good understanding of an enterprise-wide perspective. They are familiar with individual silos, but not how they are all interrelated. JM: Once you have the problem scoped to a GRC issue that will have a high impact to the business or the organization, the next set of steps is to start identifying the information and the owners of that information that are critical to this www.BTQuarterly.com Business Trends Quarterly 27 http://www.BTQuarterly.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.