Today’s increasingly complex business landscape is matched by an increasingly challenging governance, risk management and compliance (GRC) landscape. U.S. multi-national companies are faced with a bewildering array of international, U.S. federal and state regulations, depending on the nature of the company’s business. These regulations can include the EU privacy directive, the Basel II Accord, the USA Patriot Act, the Sarbanes-Oxley Act, HIPAA, the Gram-Leach-Bliley Act, DoD 5015.2 and various state data security laws, among others. No wonder that GRC efforts reportedly absorbed more than 10 percent of the average CFO’s time in a group of companies in one survey. Further, as a result of the current credit crisis, it is anticipated that a wave of new U.S. Federal and state legislation is about to issue that will require financial institutions to dramatically increase their record-keeping, audit and reporting functionality in order to provide more transparency into their day to day operations.
Unfortunately, many companies respond to this GRC challenge by purchasing or developing one-off point solutions designed solely to satisfy the requirements of individual regulations. This could end up being penny wise, but pound foolish. It has been reported that companies relying on one-off GRC solutions will spend 10 times more than they would if they had developed reusable GRC solutions that could satisfy multiple regulations. This suggests that IT departments can act as a leader in the GRC space by helping to identify multipurpose GRC solutions in order to reduce total cost of ownership and increase return on investment for GRC expenditures the benefit of the company.
Even if you are not directly involved with your organization’s GRC efforts, you might at various times find yourself involved with IT, financial, business or other initiatives that indirectly involve GRC issues. As part of that project team, you might wish to ask yourself whether you would be able to answer the following questions:
In order to cope with these new business and regulatory challenges, you might want to consider adopting a “holistic” GRC approach that can help you develop multi-purpose, reusable GRC solutions. See our next blog for ideas for dealing with these challenges.
Jeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group, for Microsoft Corporation. Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companies on the use of technology to support corporate governance, risk management and compliance programs. Mr. Jinnett has testified before the US Senate regarding the law and technology. He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).