GRC Journal - (Page 66) Tackling the Information Challenge Governance, risk & Compliance GRC process. In addition, consider what can be automated since automation, whether it is done by networking, software or systems, has the ability to produce important, high-impact benefits to any GRC process. If we can determine which information can be sensed, scanned and correlated by a system, then we eliminate some of the human middleware. System automation can improve the timeliness and accuracy of the information for a more manageable GRC environment. What is the range of projects that an organization might possibly undertake? HR: This is what I call the “win by attraction” approach. Once you have taken the steps that Ed and John have recommended around setting framework and automating information flow, if you can solve a major problem for the organization that is visible, people will come knocking on your door to help you solve their issues. In terms of the types of projects they would undertake, it depends very much on the individual company, and the information needs that are most critical may be the information considered to be the most broken and in need of attention. For some companies, this can be just the logical financial processes to start with because of the various financial regulations that have been issued recently. For others, we see a lot more focus on product-related processes or even risk management processes across an organization that are helping senior-level executives get a better grip on the risk for their company so that they can start to drive down which projects would fall from the risk profile. EG: We’re in the midst of an initiative that is taking a closer look at similarities across the different business units; we are trying to consolidate our information across the organization. We understand and embrace the fact that we’ve had various books of records and systems that need manual intervention to bring it up to an enterprise-wide level. We have undertaken a huge project on consolidating everything into a single instance. That is where we are going and we are going to see an improvement in our information quality, governance, cost savings and information flow. All these benefits will occur when this happens, because we are then able to see the same information no matter what part of the world we are in. We are able to then look at it from a compliance standpoint to make sure that things are meeting the different regulations, because it is in one single instance instead of multiple instances. All of this is driving us to improve the quality of our information by consolidating our systems and applications into a more manageable environment. Standardization is a controversial topic. So many organizations over the years seemed to have a philosophy that you had to prove the business case to standardize; otherwise, you were allowed to be different. I am seeing now that organizations are standardizing, and the new way is to have a special business case to prove there is a value to be different. Do you see an increased emphasis on standardization? JM: Yes, and I think there are immediate benefits coming from standardization. First, standardization allows different groups to focus on the issue of chronic underinvestment in IT for GRC. If the funding and architectures aren’t there to support the GRC solutions, then the situation will not improve. When cross-functional groups support a business case based on standardization, the chances of funding the program improves dramatically. In addition, the standardization of accurate and timely information is also important. Currently, a lot of GRC information has to be interpreted by subject matter experts in order to be understood by executives and managers. It exists in systems that are difficult for most executives to interpret. By using some of the new GRC dashboards and presentation methods, we have the ability to communicate what is actually going on in these systems to the executive and business manager, and therefore why they should continue to invest in these systems. The ability to consume and use information as opposed to it being there but not being readily accessible or understandable has to be addressed as well. Holly, are you seeing this at SAP as well? HR: Absolutely. We have customers coming to us who want to move a single instance or find a way to better harmonize the data across the systems, especially for executive reporting and other critical things. We need to monitor these things in a consistent way across multiple components of the organization. They may be looking for multiple technologies, whether it is the single ERP instance or MDM capabilities. We’ve been talking about information and sometimes people use the term “information” as a synonym for “data.” I tend to think of data as the raw stuff that you start with. The challenge then is to turn data into information and information into insight. One thing that is talked about is focus on MDM. Do you have any perspective on how important MDM is on this roadmap of projects that are undertaken? JM: MDM is critical to GRC because it supports a concept we call the “instantly responsive enterprise,” essentially the automated sensing, detection and analysis of the information in the form of GRC events. In order to do this, a master data model is needed to be able to process and correlate the event information against the GRC policies being tested. Without an MDM for the event information, it is very difficult to create an enterprise-wide system for GRC. We also want to be able to do other things in an automated fashion, such as respond, remediate and notify the right people at the right time about an event. For instance, you don’t want to find that you’ve had a significant data leak or information problem weeks after the event occurs. MDM is a key part of the roadmap for the instantly responsive enterprise and more effective GRC. Many customers like to compare their performance to one another, taking MDM to a new level for an interest in common taxonomies. Is that a key factor with the increased focus on GRC? 28 Business Trends Quarterly Technology Solutions. Business Solutions.
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.