One of the bigger challenges that most companies struggle with is that when it comes to governance, risk management and compliance, the finance and IT departments are worlds apart.
When it comes to GRC, the finance department is looking to its application vendor for GRC products and services. The IT department, on the other hand, traditionally looks to providers of IT management tools and services. Alas, the providers of these tools are rarely the same companies, so customers wind up with a discombobulated approach to GRC.
Not only does this create a fair amount of additional expense, it can create more GRC problems in that application and system management vendors rarely have the level of integration necessary to provide an end-to-end approach to GRC.
As the CEO of Agiliance, a provider of a GRC platform that continuously monitors applications and the underlying systems on which they run, Joe Fantuzzi says that not only do customers need a comprehensive approach to GRC, they should also demand that their GRC products be open. To that end, Agiliance founded OpenGRC, a consortium of companies dedicated to promoting open GRC standards.
In the absence of such standards, Fantuzzi says most customers will see individual vendors ink integration alliances around various proprietary solutions. But rather than waiting for that to happen and then bearing those integration costs, Fantuzzi is challenging the entire GRC industry to support open standards that will reduce overall costs.
For example, within the Agiliance products identify a risk, the system will automatically patch any affected system based on the policies and priorities set by the IT department. But that capability should not only work within a single vendor's GRC environment. GRC workflow processes need to be extended to any number of systems management and GRC tools without requiring specialized services that ultimately cost the customer more money in consulting fees.
What Fantuzzi is really driving at is that one of the reasons that business leaders complain so much about GRC is all the costs associated with meeting any number of regulations. But as Fantuzzi notes, many of the costs are artificial in that if the GRC systems were truly open, the cost of extending GRC controls and polices would be dramatically less than they are today.