By Alex Bender, Director, eGRC Programs and Strategy, EMC
Those of you who know me from the world of enterprise governance, risk management and compliance (eGRC) will know that I have a particular view of eGRC, which is rooted in what I’ve learned from the hundreds of customers I’ve worked with over the course of my career. For those of you who don’t know me, I’d like to introduce myself by sharing my overall philosophy with you and giving you an idea of what I want to achieve with my blogs.
eGRC: led by technology or strategy?
There are many vendors who are using the phrase ‘enterprise governance, risk management and compliance’ as a catch-all to create a market for their technologies. Let me put my stake in the ground: eGRC can’t just be about technology. To be effective, it needs to be a tightly woven strategy for leveraging people, processes and technology to achieve business objectives.
Specifically, we’re talking about business objectives shared predominantly by four enterprise domains: IT, finance, operations and legal. Focusing on technology is not a bad approach, but is myopic when considering how people and processes across the enterprise need to be engaged in the program.
Is your organization struggling with eGRC silos?
Here are some typical indications that your organization hasn’t yet taken a strategic approach to eGRC:
If you’re in IT, do you find yourself thinking: “I’m so busy with day-to-day IT activities, I have no idea whether my role provides business value; I just hope it does”; or “I work in IT; how can I truly affect our business objectives or increase shareholder value”?
If you’re outside IT do you find yourself thinking: “the key objectives on my plate don’t pertain to IT. Sure I use systems, applications and devices; and IT is great at supporting me. But when we’re opening a new site or trying to launch a new product, IT gets in the way.”
If you’re outside IT and engaged in some form of risk management, do you believe something like: “For me to do my job in the financial risk management group, IT needs to do what IT is meant to do…serve us!”
In most cases, views like these indicate a complete disregard from senior management for the importance of investing in both top-down and bottom-up eGRC objective-setting. They reflect a lack of visibility of how the work of different business functions links together — or should link together — to drive towards the end game. They show a distinct lack of collaboration, which is a theme I’ll return to in later blogs. This is particularly evident in the view of IT having no strategic role to play in risk management, which is isolationist (and in many cases egotistical) thinking that just gets in the way of the business achieving its objectives.
Or are you doing it right?
For those of you who do know me and have already taken the initiative within your organization to transform your business, much of what I’ve just described has already been sent to the waste-basket or kicked to the corner. I know so many companies who’ve done it right and who are well on their way to true strategic and collaborative eGRC across the domains of IT, finance, operations and legal. And when we asked Ovum to research the status of eGRC across seven countries in North America and Western Europe, their results agreed.
eGRC is personal
The great thing about this approach is that the people I’ve worked with have created an amazing upward professional path for themselves and can point to their eGRC efforts as game-changing in their career. Ultimately eGRC is all about you! It’s about enabling you to have the right visibility and control so that you can make better decisions, act faster and ultimately spend less.
eGRC is about trust
I look forward to sharing with you many of my stories and will hopefully provide a forum for us to really get things out on the table. I would like this blog to be about trust. Trust between you and me. Trust that we can agree to disagree. Trust that when I’m wrong, you’ll be constructive in your feedback. Isn’t that ultimately what eGRC is all about? Trust.
EMC eGRC resources
RSA eGRC resources
Unpicking the concept of eGRC