Almost three-quarters of businesses are finding that regulations and fear of reputational damage are stifling innovation.
Research on Governance, Risk Management and Compliance (GRC) by su53 Solutions found that while innovation is a critical growth strategy for many companies, it is also a significant cause for concern.
Martyn Proctor, managing director at su53 Solutions, told SC Magazine that there is a general paralysis of fear when it comes to risk and there is a concern that things will be stolen and everyone gets paranoid. “It is paralysing and clever companies will do something brave and risky but know how to manage it. They will get somewhere, those worried about fines and regulations will find themselves with problems,” he said.
“If you do risk management on all new initiatives, do plans for a couple of hours but nothing happens and embed it in everything you do, if something changes and you can do something about it. Feedback is embedded in business and risk management is a lively thing and in whatever you do, ask what is it that would worry you? You put in process something that tracks that.”
The research also found that a large number of CIOs indicated that employees in their organisation would turn a blind eye to GRC in order to prevent a loss of productivity, with 69 per cent of workers in enterprises saying that they would temporarily give their colleagues their computer login details without the approval of IT, thereby bypassing GRC controls.
Asked if businesses should be more proactive rather than reactive with policies, Proctor said that most companies have a plan but most systems are proactive and real-time and are integrated with the way business works.
“You want IT systems to be configured to alert an adverse situation and flag it to you. You can put in biometrics but that is another layer of control and more expense, all of the technology is there but you do not want to get too big brother-ish over your employees, but it comes down to risk management and whether you are moving gold bars or paper clips.”
Proctor said that there is a climate of fear with GRC whereby the majority of controls implemented by enterprises are reactionary measures that create more problems than they address.
He said: “Problems often arise because of a lack of coordination creating a high degree of complexity around GRC. However, we have found that GRC actually empowers businesses to explore exciting new avenues for growth, safe in the knowledge that they have a framework for identifying, measuring and mitigating associated risks.
“Auditors know all too well the concept of ‘conflict' where they are not permitted to both audit a business and provide GRC services to help manage risk, so will show no mercy if they find others getting away with it. Blind spots such as these can result in huge fines and naturally cause significant reputational damage for the organisation. The major insight this study highlights is that corporate reputation and GRC strategies today are completely out of sync.”