Keeping abreast of governance risk and compliance goals

More data is shared online every second today than was available across the entire internet 20 years ago. It is therefore no wonder that thriving in the resulting big data economy requires advanced tools says Lubor Ptacek.

Lubor Ptacek, VP product marketing, OpenText
Lubor Ptacek, VP product marketing, OpenText

A new range of exciting opportunities are arising from developments in big data, but with these come new complex challenges that we must learn how to face.

Access to information is key to corporate strategy but so is managing the risks that affect the business' fundamental activity. These risks can influence an organisation's performance, reputation and future success in today's big data economy. With organisations committing plentiful resources to the battle to protect customers and themselves from endpoint data loss and remain compliant, there are two main weapons they need in their arsenal to help achieve Governance Risk and Compliance (GRC) goals in the most effective way.

Enterprise Content Management (ECM) and Business Process Management (BPM) are two key technologies that can maximise the value of information while minimising risk - particularly when used together.

Unfortunately, many organisations are still struggling to achieve universal adoption of these tools and are not entirely satisfied with the results they are achieving. Inadequate use of the tools is likely to limit businesses' record management capabilities and translate into poorly optimised BPM and workflow.

In an effort to understand where the main problems lie, OpenText and AIIM (the Association for Information and Image Management) conducted a joint survey of 1,200 organisations. The survey was designed to find out which governance, risk and compliance goals are seen as the biggest concern to organisations and how they are currently implementing ECM, BPM and other Enterprise Management Information technologies to solve their GRC challenges and discover their limitations. An in-depth analysis of the results has led to the following conclusions.

Security and information risks

Security risks (56 percent) and information privacy risks (52 percent), were the two threats of most concern to the companies surveyed. Together with reputational (48 percent) and regulatory (42 percent) risks, these rounded up to the top four concerns of companies tackling GRC issues.

This is understandable considering the high number of data breaches targeting big-name retailers which hit the headlines, and then the business' bottom line. PWC's recent report, the Global State of Information Security Survey: 2015, shows that organisations reported financial impact from breaches as being up to 93 percent more costly in 2014 than 2013.

Reputational risk

Another interesting finding of the OpenText survey was that reputational risk was twice as significant as a driver for compliance (44 percent) versus avoiding fines and penalties (20 percent).

This can arguably link back to the point on data breaches. Data breaches can have as much impact on brand reputation as poor customer service. The effects on reputation and consumer trust are long-lasting, demonstrating that cyber-security isn't merely about compliance, but instead is a core part of doing business today.

Whose responsibility?

The survey also found a very wide spread of roles deemed to “own” the GRC programme. The Legal department or a chief compliance officer (CCO) typically manages an organisation's governance, risk and compliance activities. Surprisingly however, 56 percent of the surveyed organisations reported not having a CCO.

A CCO's role is typically to establish/lead an organisation-wide compliance infrastructure. The role usually includes overseeing and reporting on performance against the organisation's compliance programme, leading investigations into compliance, identifying areas of potential risk and developing an effective compliance communication and training programme.

Managing compliance typically cuts across departments and functions, impacting on many different areas. Consequently it can be difficult to assign. However, for at least some of these organisations, the findings may be based on the respondents' lack of awareness that the role is in place – although arguably this points towards different issues.

Recurring themes

When asked about the most frustrating challenges experienced with the various GRC processes, the predominant responses were related to the multiple and disparate systems involved in managing compliance documentation: policies and procedures, and internal audit documentation, and the manual and inefficient processes supporting internal audits and approvals.

All in all, while it may seem clear for many organisations that Enterprise Information Management (EIM) software can help achieve governance, risk and compliance goals, many still have incomplete ECM and BPM implementations in place and feel unsatisfied with the results.

These findings point to the need for a central, secure repository that is the authoritative system of record for compliance-based information. This must go hand-in-hand with a desire to move from paper-based, manual processes to automated processes to reduce errors and improve visibility and efficiency. Ultimately, this will help organisations not only achieve their compliance goals, but crucially it will also help them to demonstrate that compliance has been achieved. And often, that's half the battle.

Contributed by Lubor Ptacek, VP product marketing, OpenText

Sign up to our newsletters