Should You Invest in GRC Tools?

As economic tough times continue, there's one thing companies can count on: more regulations. For the CIO and the IT department, that will mean more time spent grappling with and monitoring a seemingly endless (and growing) mountain of data related to compliance.

How pervasive is the challenge? Last May, the Information Systems Audit and Control Association (ISACA) surveyed more than 3,000 of its members and found that regulatory compliance ranked among the top-five business issues facing IT managers and executives. In its report, ISACA notes that "regulatory compliance still operates in a 'project mode' and has not yet been embedded in business processes."

CIOs who seek to conquer compliance issues have found various routes - and tools - to help them achieve that aim. Some have purchased governance, risk management and compliance (GRC) tools to automate the process of staying on top of rules and regulations. Others have combined products such as office suites or accounting software with strong governance and business process frameworks. Both methods can succeed in identifying compliance requirements and making sure your company is effectively following the rules. So which way should you go?

There is no black-and-white answer to the question. However, a company's size and the scope of its operations can help guide the decision, says Forrester senior analyst Marc Othersen.

Make Work Easier

A GRC tool can be an effective way to achieve compliance if your business is subject to many regulations and if the organization is spread out globally, says Othersen. Other countries have different regulations and industry standards, so a company with global operations has more rules to follow, he says. A tool can make it easier and more cost-effective for a company to comply with regulations wherever it does business.

Holly Marr, operations management organization leader at Acxiom, a global provider of information management solutions, started using CA's GRC Manager about six months ago to keep on top of approximately 900 compliance controls that the $1.4 billion (about Rs 7,000 crore) company must abide by. "Our company has been learning how to manage the process [of compliance] in the most efficient way, and the tool is a way to go," she says.

Before the tool, internal auditors manually tested the controls for each regulation, which then had to be documented and sometimes remediated. However, all this information was housed in Excel spreadsheets and other documents that needed to be shipped to internal auditors, regulators, upper management and regional offices to sign off on. Marr and her team chose CA's tool because it automatically helps them map industry-standard controls, such as the IT governance framework Cobit. It also consolidates the company's compliance data in one place. The amount of manual work required to do both these things was labor-intensive for IT, says Marr.

GRC tools often automate time-consuming manual processes, taking testing time from weeks to days, says Forrester's Othersen. Without such tools, a company might have to test manually for every regulation, which takes time, money and effort, especially if a company has thousands of servers or global IT operational processes.

By implementing GRC Manager, Acxiom expects to shave two days off the process of creating its monthly and quarterly compliance reports. Acxiom also created a central repository for all its compliance data, which helps promote transparency and may cut costs. Marr says the tool allows IT to focus more closely on important business risk factors and how to better facilitate project management and workflow.

GRC tools also significantly streamline the compliance process because they eliminate redundancies, says Othersen. For example, a company might have Sarbanes-Oxley and Gramm-Leach-Bliley Act teams testing for access controls. GRC tools can identify whether teams are doing the same tests. "Some companies have 300 teams, so they could potentially be doing the same tests and getting the same results 300 different times," says Othersen.

An Emphasis on Process

An Emphasis on Process
Compliance is a major corporate objective at Purdue Pharma, a player in the highly-regulated pharmaceutical arena. The $2.5 billion (about Rs 12,500 crore) company, which operates only in the US, views it as both a business process and governance challenge. So Purdue Pharma VP and CIO Larry Pickett opted to use the company's suite of office applications (Microsoft Word, Excel and SharePoint) and its business processes to help manage the information to support regulatory requirements.

Pickett believes a company can effectively manage its own compliance needs with the proper executive commitment and structure in place. For that reason, he doesn't see the need for a GRC tool since compliance is embedded in the company's business processes.

The first step, he says, is identifying and prioritizing business risks facing the organization. For instance, a major risk, such as Information Systems Quality Assurance compliance, is assigned to appropriate business owners who then oversee their own specific solutions and reports in collaboration with IT. That data is collected into the Microsoft Office products; it is then shared and reviewed at various committee meetings held by the business owners.

"If there is a structure in place, it's pretty straightforward to see if you are compliant," Pickett says.

"I'm not saying that collecting and reporting data in a tool is useless, but I just don't see the need for it in terms of risk management," he adds. "The audit committees here aren't looking at a tool. They are looking at the risks, the challenges and what we are doing."

The main focus of your GRC regimen should be on identifying and managing the risks around one's business, not in implementing technology for the sake of technology, says Pickett.

Face it: The need for compliance isn't going away. And while the choice to purchase a tool to document and automate the process is yours, the choice to follow the regulations is not.