RSA, the security division of EMC (news, site) recently sponsored a new report by the Ponemon Institute: The Role of Governance, Risk Management & Compliance in Organizations. Did you know that one of the top barriers to achieving GRC-related goals is lack of cooperation/collaboration?

It All Started with IT

A survey was given to 190 individuals who were involved in the RSA Archer eGRC Summit. The survey was focused on privacy and data protection activities as they relate to business objectives/mission. Most of the respondents were at or above the manager level (47% were from Financial institutions). The survey topics included:

  • Where most GRC activities take place in an organization
  • Collaboration and cooperation across GRC functional areas
  • GRC strategies in organizations
  • Barriers to implementing and achieving GRC objectives
  • Compliance challenges with privacy and data security regulations

 It's interesting to note from the survey that the majority of respondents point to IT as both the starting point and the primary reason for most of their GRC initiatives.

GRCreport_PonemonInts.jpg According to Alex Bender, Director of eGRC Programs and Campaigns at EMC, GRC is about breaking down silos. He said that many organizations are expanding their GRC initiatives beyond IT and attempting to deploy strategies that are cross domain.

Collaboration is Critical and Often Lacking

When it comes to managing enterprise risk, collaboration is critical, especially when it concerns privacy and data collection. But the unfortunate truth is that collaboration is not something many of the responding organizations do well. The report indicates that there is some degree of collaboration between finance, IT, operations and legal for GRC initiatives, but they still indicate that it's a primary barrier today:


Bender said that collaboration among domains is there, but the need to work together across domains that has become a barrier to many enterprise level GRC initiatives.

The Importance of Risk Mgt and Privacy

Privacy related issues are much more important to IT and Legal (76% and 71% respectively) then they are to Operations and Finance (46% and 37%). It certainly makes sense that it's a hot topic for IT considering this is where applications are either built or software implemented that support the exchange of information (especially when deal with web-based or cloud apps).

However, risk management is still the biggest element of GRC initiatives over governance, compliance and privacy/data management. This is true both today and in the next three years. (editor's note: See Making Mistakes and Poor Decisions Because of Old Risk Information)


Key GRC Activities

There are a number of different activities that make up a GRC strategy. In this study, assessing risk (83%) is said to be the most important activity (confirmed above as well), followed by managing compliance (63%) and developing strategies (61%).

Activities consider less essential (although no less important to meeting GRC objectives) including advising the organization, training and awareness, and responding to incidents.


Strategy in Place vs No Strategy in Place

It might seem odd that having a GRC strategy in place isn't a top priority for most organizations, but that appears to be the case. Of the respondents, only 20% have a strategy for the enterprise. 47% have clearly defined strategies for specific domains and 33% have no strategies at all. Note we are talking about a formal strategy here.

Bender agrees that a strategy/roadmap is critical and that developing an enterprise level strategy is a key growth area. But it will take time. Very few organizations will take on a project to develop a complete GRC strategy/initiative out of the gate. Most tend to start with something like policy management; another area is vendor risk.

The key, points out Bender, is to work on a focus, but identify where interaction occurs so that you can deal with it at some point.

And of course, technology plays a critical role by bringing together disparate systems. Solutions needs to be customizable for large enterprises, but out of the box solutions typically work for mid-sized organizations where staff and budgets aren't as great.

There is a lot more detail in the report that you should read if you are involved in your organization's GRC initiatives. There are likely some good stats to take to your boss to encourage further emphasis on key elements of GRC -- like privacy and risk management, and on the need for stronger collaboration across all domain. Pick up the report here (PDF)