Don’t we all work for the same company? – Part 1

By Alex Bender, Director, eGRC Programs and Strategy, EMC

Have you ever been in a situation of having to ask yourself: ‘Don’t we all work for the same company? Why can’t we work from the same playbook, speak the same language and head in a similar direction that gets us closer to the destination we’re all supposed to be aiming for?’

IT vs. Legal? Operations vs. IT? Finance vs. Legal?

Collaboration between divisions within an organization has never been more necessary. In fact, why do we call them divisions? It’s a divisive word; we should call them ‘unification departments’ and put people in charge of doing just that: unifying!

Why is unifying so important? Let’s take the example of information privacy. In a recent survey by the Ponemon Institute that polled over 190 eGRC professionals, it was found that the number-one owner of privacy issues in companies is the legal team, with IT coming in a close second. It was also found that collaboration is the number-one issue organizations have when setting out to achieve a goal or execute against a program such as privacy. Given the importance of such programs today, it’s never been more important for the teams that play a major role in achieving them to collaborate.

There are four key business domains that need to work together systematically to achieve eGRC objectives: IT, legal, operations and finance. Let’s stay with the issue of privacy to see why this is the case. I’ll cover legal and It in this blog; operations and finance tomorrow.

IT caught in the headlights

Think of any recent data breach to hit the headlines. The initial focus of news stories is on the number of people whose personal information has been leaked, the type of information leaked, and the technological or process failures that allowed the breach to happen (a security loophole exploited by hackers, third-party vendor negligence, a lost computer or other device holding data).

Internally, most of the initial action will probably occur in the IT and legal departments. Even if the breach isn’t a compromise of network defenses — maybe it’s due to an employee losing a backup tape or someone in operations inadvertently sending customer information to the wrong recipient — the incident may well highlight a failure of IT security policy and will have the department scrabbling to identify what happened and pull out all the stops to fix it and ensure that it doesn’t happen again.

Legal under the spotlight

Either in the same breath as reporting the breach, or immediately after, the news will be full of calls for more to be done to protect people’s rights to privacy. Opinion pieces will focus on how this breach will drive further regulatory activities relating to data protection and breach notification in the relevant country/ies or industry.

Internally, IT finds that it can’t just focus on the breach from a technological, process or policy point of view, but needs to be able to help the legal team figure out what’s happened from a compliance perspective and how the company must legally respond. As well as responding to regulators, legal teams will increasingly find that they need to defend their organization against official sanction as governments start issuing fines for data breaches. The legal ramifications of the incident may last for years as it becomes more and more common for lawsuits to be filed on behalf of individuals whose privacy has been compromised during a breach.

Further reading:
The Ponemon Survey

Next time:
Part 2 of ‘Don’t we all work for the same company?’

What have years of exploring eGRC taught us?

By Alex Bender, Director, eGRC Programs and Strategy, EMC

Those of you who know me from the world of enterprise governance, risk management and compliance (eGRC) will know that I have a particular view of eGRC, which is rooted in what I’ve learned from the hundreds of customers I’ve worked with over the course of my career. For those of you who don’t know me, I’d like to introduce myself by sharing my overall philosophy with you and giving you an idea of what I want to achieve with my blogs.

eGRC: led by technology or strategy?

There are many vendors who are using the phrase ‘enterprise governance, risk management and compliance’ as a catch-all to create a market for their technologies. Let me put my stake in the ground: eGRC can’t just be about technology. To be effective, it needs to be a tightly woven strategy for leveraging people, processes and technology to achieve business objectives.

Specifically, we’re talking about business objectives shared predominantly by four enterprise domains: IT, finance, operations and legal. Focusing on technology is not a bad approach, but is myopic when considering how people and processes across the enterprise need to be engaged in the program.

Is your organization struggling with eGRC silos?

Here are some typical indications that your organization hasn’t yet taken a strategic approach to eGRC:

If you’re in IT, do you find yourself thinking: “I’m so busy with day-to-day IT activities, I have no idea whether my role provides business value; I just hope it does”; or “I work in IT; how can I truly affect our business objectives or increase shareholder value”?

If you’re outside IT do you find yourself thinking: “the key objectives on my plate don’t pertain to IT. Sure I use systems, applications and devices; and IT is great at supporting me. But when we’re opening a new site or trying to launch a new product, IT gets in the way.”

If you’re outside IT and engaged in some form of risk management, do you believe something like: “For me to do my job in the financial risk management group, IT needs to do what IT is meant to do…serve us!”

In most cases, views like these indicate a complete disregard from senior management for the importance of investing in both top-down and bottom-up eGRC objective-setting. They reflect a lack of visibility of how the work of different business functions links together — or should link together — to drive towards the end game. They show a distinct lack of collaboration, which is a theme I’ll return to in later blogs. This is particularly evident in the view of IT having no strategic role to play in risk management, which is isolationist (and in many cases egotistical) thinking that just gets in the way of the business achieving its objectives.

Or are you doing it right?

For those of you who do know me and have already taken the initiative within your organization to transform your business, much of what I’ve just described has already been sent to the waste-basket or kicked to the corner. I know so many companies who’ve done it right and who are well on their way to true strategic and collaborative eGRC across the domains of IT, finance, operations and legal. And when we asked Ovum to research the status of eGRC across seven countries in North America and Western Europe, their results agreed.

eGRC is personal

The great thing about this approach is that the people I’ve worked with have created an amazing upward professional path for themselves and can point to their eGRC efforts as game-changing in their career. Ultimately eGRC is all about you! It’s about enabling you to have the right visibility and control so that you can make better decisions, act faster and ultimately spend less.

eGRC is about trust

I look forward to sharing with you many of my stories and will hopefully provide a forum for us to really get things out on the table. I would like this blog to be about trust. Trust between you and me. Trust that we can agree to disagree. Trust that when I’m wrong, you’ll be constructive in your feedback. Isn’t that ultimately what eGRC is all about? Trust.

GRC Resources:
EMC eGRC resources

www.emc.com/grc
RSA eGRC resources  

http://www.rsa.com/node.aspx?id=3732

Next time:
Unpicking the concept of eGRC