Survey: IT Risk Management Matures

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The IT industry as a whole still has a long way to go in terms of making the governance, risk management and compliance (GRC) process cohesive. But a survey being released today seems to indicate that when it comes to GRC, IT organizations are making some substantial progress.

The survey, sponsored by OpenPages, a provider of GRC application software, found that 28 percent of the customers surveyed were using what they described as a holistic set of applications to manage GRC, while 30 percent said they were using what they described as point products. But plenty of evidence suggests that GRC immaturity is widespread as 43 percent of those surveyed said they still rely primarily on spreadsheets to manage the process.

Meanwhile, as IT gets more involved in GRC, the opportunity to automate the process becomes more apparent. The OpenPages survey found that 40 percent of respondents said the CIO was responsible for GRC, while 24 percent said they had a head of enterprise risk or chief risk officer to specifically manage the process. But 27 percent selected other on this question.

The issue that most organizations are having with GRC comes down to the cost of compliance. Too often the process of coming into compliance involves lots of expensive audits, usually performed manually by third-party auditors who get paid by the hour.

By investing in integrated in GRC management platforms, companies such as OpenPages argue that not only will companies be more efficient in terms of actual compliance, but the cost of managing the GRC process will substantially drop as they sharply reduce auditor fees.

In the absence of any structured approach to GRC, however, many companies are looking to Congress for regulatory relief. But the tradeoff then becomes that as we lessen restrictions, companies have no incentive to improve their governance. Without those incentives, companies are then more likely to have lax data-security standards and inaccurate financial reporting.

In the meantime, the current administration seems bent on increasing the amount of oversight applied to just about every industry, which means the best and probably only real option available to most companies to reduce GRC costs is to streamline the process by employing more IT automation.