Achieving the Mythical ‘Mature’ GRC System

Companies with “mature” IT governance, risk, and compliance regimes have happier customers, make more money, and suffer fewer data-related disasters.

To some extent, that sounds self-evident: If you’re a good company, you’re probably adept at many things, GRC being among them. But now, the fruits of GRC maturity have been statistically quantified.

In the IT Policy Compliance Group’s most recent annual report, a survey of 558 companies ranked only 12 percent as having “mature” GRC systems. That select number, however, also enjoyed 7 percent higher profits, 9 percent greater customer satisfaction rates, and far lesser financial losses from customer data theft than middling performers, the report found.

So if “mature” GRC systems bring such regal rewards, why do so few companies attain that success? And what exactly is “mature” IT GRC, anyway?

Hurley

Jim Hurley, managing director at the IT Policy Compliance Group, says the survey defines GRC expertise based on the five levels of skill spelled out by the Capability Maturity Model, ranging from “initial” to “optimized.” Hurley (who conducted the survey) placed 20 percent of respondents in the lowest group, with only an ad-hoc approach to GRC. Sixty-eight percent ranked in the middle three tiers, and the remaining 12 have mature GRC.

His work jibes with recent findings in the IT Governance Institute’s most recent “IT Governance Global Status Report,” where 8 percent of nearly 750 respondents counted themselves among the elite, while 76 percent fell in the middle.

Johnson

Everett Johnson, past international president of the IT Governance Institute, says getting to mature GRC is about more than just aligning IT and business goals, using frameworks such as COBIT or ISO standards to manage risk and gaining support from senior management and users. Even average performers are doing that these days, he says.

Rather, optimized GRC hinges on measuring performance and, most importantly, incorporating lessons learned about weak governance back into IT and other processes, he says.

Hurley lists several other traits of mature IT governance: deeper involvement by management and by the audit committee; a “culture of compliance,” and improved IT risk assessments; data protection; and regular IT auditing. Companies with mature GRC systems have solid regimes for data security and change control; they base control objectives on business risk, and then employ three times as many controls as objectives. Half the controls are technical and all of those automated, Hurley says.

Ultimately, mature GRC is “measuring things and reporting on them very thoroughly,” Hurley says. Such companies “are just assiduous about quality control.” Indeed, he adds, when he presses those top-tier companies about exactly how they govern themselves, they say things like: “Yeah, we’re doing compliance and yeah, we’re doing governance, but what we’re really doing is continuous quality control.”

Getting to Quality Control

The point of quality control is to improve IT, and more broadly, business processes as a whole, says Jeff Weber, a managing director at consulting firm Protiviti. “You need to have well-run processes, and those well-run processes drive performance and enable better risk management and compliance,” he says.

Top-performing companies may apply COBIT and other frameworks in different ways, but certain elements are constant, Weber says. For example, he says, Protiviti has never seen a top-performing company that allows developers to promote “code to production,” which is the IT department’s equivalent of letting the same person request and approve travel expenses.

“You can have the best controls in the world and if they’re not implemented correctly, they won’t do the job.”

— Heriot Prentice,

Director of Technology Practices,

Institute of Internal Auditors

That attention to the process of IT governance delivers value early on, and consequently wins the backing of top management, Weber says. “If you’re not delivering value to the business in the short term, they’ll lose patience over time,” he adds.

Auditors also play an important role in IT GRC, says Heriot Prentice, director of technology practices at the Institute of Internal Auditors. Internal auditors help define and refine controls to help ensure that whatever the IT department installs actually works as it should. “You can have the best controls in the world and if they’re not implemented correctly, they won’t do the job,” Prentice says.

Prentice says any link between good IT governance and healthy performance is at least partly a matter of efficiency. “If you run a tight IT organization, you’re not firefighting. You’re not doing rework. You’re more proactive, more coordinated,” he says. “You can focus and be more efficient.”

Atkinson

Joe Atkinson, a GRC specialist with PricewaterhouseCoopers, says organizations with mature GRC systems take a holistic view of risk, where IT is only one component (albeit, a vital one) of a much bigger picture. Adding IT controls with the emergence of a new regulatory requirement (Sarbanes-Oxley or PCI data privacy standards, for example) can be unavoidable, he says, but the key is to observe how such controls improve the company’s overall management of compliance and risk. Doing so requires an integrated view of risk.

That doesn’t mean companies enjoying the fruits of mature GRC systems all employ enterprise-wide governance and compliance systems, Atkinson says. “But if you go to a particular geography or to a business unit or an individual executive’s plan, you’re going to see an explicit discussion of risk and how the response will be managed.”