Why data is the force which hits hard in GRC

Having a strategy around governance and risk is vital
Informatica regional sales manager Richard Jones

Informatica regional sales manager Richard Jones

It’s not easy to predict today’s complex, changing business climate. Organisations face unprecedented numbers of legal, regulatory, and business policy directives, as well as value chain requirements that affect nearly every aspect of their operations. The question is, in a regulated environment, how can organisations control risk, manage it effectively, drive business performance, and ultimately inspire greater stakeholder confidence?

Many organisations are taking a broader, more integrated approach to managing inter-related strategic planning activities and business risks. Essentially, this approach is an evolution toward an integrated program of governance, risk and compliance (GRC) and away from the current fire drill method of channelling precious resources and management attention to address specific regulatory mandates in isolation from each other.

Achieving a unified GRC strategy is tricky. Organisations need to find the information, cleanse it, pull it together and trust the information.

That’s where having a strategy around data for GRC is vital. Alignment of people processes and technology to assist with the definition of the standards for enterprise GRC along with data helps an organisation with:

- Improved visibility and transparency into GRC activities with complete and trusted information.
- Increased business agility and reduced risk with real-time data.
- Reducing the cost of producing timely and trusted data for GRC while improving business efficiencies.
- Satisfy regulatory data audit and documentation requirements.
- Cost-effectively comply with industry data definitions and formats.

3.0 Trends in GRC

No longer are governance, risk, and compliance the exclusive domains of those trying to solve the Sarbanes-Oxley riddle. Organisations in all industries have matured their perspectives on GRC and expanding initiatives to encompass an integrated and enterprise view of risk management and compliance.

It’s an issue that Forrester refers to as “risk ignorance”. In a recent report, “Demystifying Enterprise Risk Management,” Forrester argues that risk ignorance results in the “iceberg of risk”, where the full risk exposure of the organisation is underwater and cannot be seen.

Deloitte, in a study found that 50 percent of the largest companies globally lost 20 percent or more of their share price in less than a month. This due to multiple risk factors across the organisation combined, posing a greater risk threat than the company was aware of i.e. risk ignorance.

The trend has been a convergence where historically distributed GRC practices are now coming together as a cohesive, enterprise wide focused initiative. This convergence is being fuelled by an increase in risk and regulatory pressures that affect companies at an enterprise versus a departmental level. Ultimately the personal risk faced by directors is driving change and investment.

There is recognition from the business that improved data management processes are a prerequisite for the implementation of an enterprise-wide GRC strategy. Organisations, by engaging domain experts, need to develop a comprehensive understanding of the enterprise's information needs and risks and then develop a structured holistic approach for managing this data.

Why data is at the heart of GRC

Clearly, data matters in GRC. Research by PwC highlights a profound gap between the clear understanding that data is valuable versus the real-world usage of that data in delivering value. Over 70 percent of executives polled consider data to be one of their most valuable assets. By closing this gap, organisations can generate more value from the data and fulfil their GRC objectives.

Comprehensive, trusted, and timely data is essential for organisations to effectively manage GRC in today’s economy. Globalisation and outsourcing—together with investments in cross-enterprise systems and applications—have created a sea of data that exists in many different forms and resides in various systems within and outside the organisation. Data used for GRC does not just live in databases or applications; much of today’s business data lives in unstructured formats such as PDF and PowerPoint files.

Any investment made in data processes are effectively redundant if the data is not of a quality that decision makers can trust when using it for governance, risk management, or compliance. Data quality issues such as completeness, conformity, consistency, duplication, integrity, and accuracy plague every organisation today. Low quality data is introduced into systems via data capture processing errors, data migrations, and system consolidations. Companies must be confident in their data quality and have the right tools, people, and processes meeting the organisation’s GRC goals.

Timely information is equally important. The cost of producing timely and trusted data to support GRC can be much higher without the right technology, organisation, processes, and policies. Data used for compliance and risk is often in complex formats that require standardisation and formatting so it can be used correctly.

Lastly, in the world of compliance, many regulations — including Sarbanes Oxley and Basel II — require organisations to have comprehensive documentation and reporting on how data is generated, processed, delivered, and used in the enterprise. Companies out of compliance with regulators face significant penalties, or require higher capital reserves as insurance/backing for loans made to customers in the case of Basel II. Many compliance regulations require companies to implement data quality scorecards to demonstrate that the underlying data is high quality and fit for purpose.

Richard Jones is Informatica’s ANZ regional sales manager.