Manage risk by keeping compliance information in one place, advises Stephen Hall.
Businesses are increasingly recognising the futility of addressing compliance requirements in isolation, yet most companies are still failing to create an integrated approach to the disciplines of governance, risk and compliance (GRC).
In fact, 95 per cent of UK companies are unable to address even the 25 most critical business processes and associated assets, and identify the financial, operational and legislative implications associated with compromise in one of these areas. Instead, piecemeal policies addressing each regulation in turn are resulting in duplication, confusion and waste of skilled resources.
Few organisations ever achieve their compliance goals. Many simply believe - or hope - that business continuity and compliance processes are in place. The reality is that only a small minority have the real information required to justify such assumptions. The much vaunted board-level compliance reports are inevitably based on guesswork; leaving organisations exposed to rapidly increasing business risk.
Furthermore, each new compliance requirement - such as the new security standards imposed on high-tier merchants by Visa and MasterCard - demands another big investment. Yet these organisations will have collected much business continuity, compliance and asset information over the past few years in response to extensive regulatory change.
It should, therefore, be a straightforward process to use that data to demonstrate compliance to any new standard. Unfortunately, by gathering the information in support of piecemeal policies, this is made much harder.
Organisations increasingly recognise the overlap between these standards and are looking to create some form of consistency with an all-encompassing set of security policies and procedures; often referred to as convergence. Yet the creation of these tailored processes alone can take years.
Simply creating the standards does not bring you closer to improving risk management. Without a consolidated approach for information collection and analysis it will be impossible to support any new standards without additional investment.
If organisations are to achieve consolidated GRC activity, they need a single tool for collating and analysing critical information across the entire business. This means a single source of information to support the disciplines of asset management, business process and impact analysis, business continuity, incident and document management.
Furthermore, the use of email and/or text alerts can ensure managers across the organisation respond rapidly to potentially compromising incidents, such as cases of racial abuse, theft or damage to company assets. The information can be used to assess trends in incidents, enabling faster introduction of new strategies - such as staff training - to mitigate the business risk.
By distributing compliance processes across an organisation and distilling the information, management suddenly evolves from a guesswork approach to operational compliance to a real-time understanding of risk exposure.
Various standards have been created over the past decade to minimise corporate risk, yet in too many cases organisations simply cannot implement these standards due to a lack of accurate information.
There is growing recognition that, with little or no co-operation between those tasked with GRC, companies are missing a big opportunity to leverage commonality and drive down the cost of achieving compliance. However, the real value can only be derived by providing an effective framework for collecting information and utilising it to support proactive risk management for the entire global operation.
Organisations must evolve beyond box-ticking compliance activity. Creating a risk management strategy that provides real-time understanding of the financial, operational and legislative implications of security incidents will help UK boardrooms finally prove that their organisations can deliver tangible value.