GRC Journal - (Page 69) Governance, risk & Compliance is the natural evolution of having different systems implemented at their companies. We definitely see a shift with the GRC space and corporate performance management looking more toward getting the critical information out of their systems that will help them make better business decisions and drive innovation across the organization. There has been a lot more demand for dashboards, analytics, metrics and thresholds, and a lot less in terms of transaction processing capabilities. The business case for making these investments has costs involved. Historically, the challenge with a lot of technology-enabled transformation projects is that companies believe they got the cost but not necessarily all of the benefits, to be candid. The question is: Are the rewards worth the investments? Is the business case good enough for making these changes to improve your ability to produce information? EG: Yes, I do believe that the rewards are worth the investments. Looking at the instance of our ERP system, standardized processes, improved security around identity management and all of the improvements that we put toward our environment is going to lead to a huge reward. The reward is going to be more effective and efficient processes, reduced costs, a simpler architecture and information that will be readily available to people. We see a tremendous amount of rewards through this type of investment, and we are seeing a lot of this today in the initial phases that we are implementing. We continue to see this as a way to improve the bottom line of the company, while successfully managing governance and compliance risks. We believe this is a major initiative for us and we see the benefits for years to come. JM: There are two things we focus on to make sure we create a successful GRC system. The first is to describe the value that can be created or the value that can be protected by the solution. We are focused on being able to quantify to the executives what the values are, whether it is protecting value or creating value, and how we will measure it. The second part is being able to consistently report back the results over time, starting with a pilot or a small production environment that is producing value. From there, the business can take on larger, more complicated problems – but with the steady reinforcement of showing the value creation or value protection that will provide confidence so that additional investments will be made in GRC solutions. Too often investment decisions, particularly when they have IT components, are done on the basis of whether or not they will reduce the total costs of ownership. It seems as though there are some important components of a business case being missed here. One that comes to mind is more effective risk management. In terms of the business case, the reduction of risk often gets missed. What would you add in terms of the risk management component of the business case as a means to justify investments in this area? HR: I definitely think that traditional deals for IT purchases have focused mostly on “how are you going to save money for me and my organization.” Once you start to get into the risk management arena, what becomes very interesting for our customers is that risk management is not all about mitigating possible lost events or making sure you can respond to them quickly. It is also about assessing opportunities embedded within risk. Oftentimes those opportunities do end up creating value for the organization, and in many cases new revenue streams for the organization. I feel like the upside to these investments needs to be considered just as much as the cost side of it. What are your final thoughts? EG: In my mind, it boils down to a company looking at information governance as something that must be done at an enterprise-wide level. Until that happens, it is going to stay fragmented; it won’t achieve what it is intended to achieve. Companies will start to look at putting more resources, budgets and skills necessary to get this thing going at an enterprise level. They need to understand that this is an initiative that is going to impact everyone, and they must require everyone to take on the responsibility as part of their job and as part of what they should be working toward in the future. JM: It is time now to move forward in the GRC maturity model. The problems aren’t getting any simpler and they are not going to stop impacting the business. To reinforce Holly’s point, the opportunities are here for improving the business as well. So, to customers I would say, “Learn as much as you can about GRC solutions, get engaged in the dialogue with your peers, and try to move these initial projects forward so you can get the experience of knowing how these problems can be solved and how the opportunities can be created; don’t wait.” HR: I would agree that the time is now to start leveraging some of these projects and establish best practices within an organization. I would also encourage companies to do these projects in isolation, but to start to participate in other organizations so that we can establish broad standards for governance, risk and compliance. Once all companies have standards for measuring their progress on these projects, everyone will be in better shape. Ultimately, we can create competitive advantage out of more effective information governance to the extent that that is needed for your organization. I think it is critical that companies don’t put the investments off but look at how they can start to leverage them today. www.BTQuarterly.com Business Trends Quarterly 31 http://www.BTQuarterly.com
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.