When we start to see real shifts in the world, whether it is a real change in human perception, say, the universe is expanding/or not, or something a little more close to home like the adoption of new mobile computing technologies, as human beings we naturally seek to understand underlying drivers. What is forcing this shift? Is it one or two things, or a ‘perfect storm’ of many factors coming together? How is this going to affect/benefit me, my career, and my organization?
Here I am going to outline five ‘forcing functions’ that seem to be the ‘biggies’ underlying the Big Shift in GRC from a static, point in time set of ill-aligned processes to a unified, near-real-time set of processes EMBEDDED in our business, information and infrastructure management systems. I’m very interested in your reaction to this – what other forcing functions are you seeing, and how would you prioritize these?
Forcing Function #1 Information Explosion. What is taking place in the world of information today and the impact this is having not only on the way we manage information but also on the way we think about scaling GRC, is probably the biggest driver, IMHO.
Study after study (see this great study on the Digital Universe) has said that if we look at this digital world, even with a slowdown, we're going to create 40X more information this year than last year and that as the economy rebounds, that percentage will further increase.
By 2011, the digital universe will be 10x the size it was in 2006. 70% of information is created by individuals, 95% of what they are creating is unstructured, and 85% of that will end up managed and secured and accessible through big large entities, whether it would be an external cloud, or internal cloud, or the hybrid of that, which EMC is calling the Private Cloud. à Your “digital shadow” is larger than the digital information you actively create about yourself.
All this information needs to be scrutinized and classified for its ‘GRC profile’ and then treated appropriately to ensure compliance with business and regulatory requirements. This process has to be automated; it’s just too big a challenge to attempt manually.
Forcing Function #2 Regulatory Avalanche. It’s hard to get really good numbers on this but all the evidence points to more and more regulation, on more and more aspects of what we do – from business practices, to information management to the delivery of IT products and services. Not only in the US, but globally. Managing the intricacies, dependencies and conflicts is a horrendous challenge for a large, globally entity. àYour organization’s “regulatory shadow” grows larger as the business expands into new markets.
Forcing Function #3 Demand for Near-real time Transparency. This is an interesting and maybe more subtle driver. Most organizations are relying more on more on key-whatever’s to manage their business. With the evolution of business intelligence, business activity and technology infrastructure monitoring systems, management is getting this transparency, even though in many ways it is still Swiss cheese. The basic point though is: Key Performance Indicators (KPI), which are used to answer the question: “Are we achieving our desired levels of performance?”, Key Risk Indicators (KRI) which are used to answer the question: “How is our risk profile changing and is it within our desired tolerance levels?” and Key Control Indicators (KCI) which are used to answer the question:”Are our organization’s internal controls effective? Are we ‘in control’?” are management’s first stop on the transparency quest. Key Risk Indicators (KRIs) are tightly related to Key Performance Indicators (KPIs). Instead of thinking of KPI measuring performance, think of a KPI as really just an indicator that the objective is at risk. They are really the same thing. See previous post on Dreaming Nirvana: Beyond Compliance into Risk Analysis.
à Your organization’s “Performance Scorecard” is converging with your GRC profile.
Forcing Function #4 Adoption of the Hyper-extended, Virtual Enterprise. This is a huge driver, fueled by the global economy and technologies where suppliers, partners and customers have deep and intimate ‘electronic reach’ into each other’s eco-systems. Not to mention 2.0 social media impacts. This adoption accelerates the scope and complexity of GRC. à Your organization’s potential for digital reach is exponentially expanding.
Forcing Function #5 Cloudburst of Virtualization.
Cloud infrastructures, which support elastic scalability and leverage virtualized resources, are increasingly provided as a service. (Here’s a good short interview on Cloud as a Service – CaaS). The good news is that cloud users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. The bad news is that we need to ensure that cloud providers are focused concretely on GRC in the Cloud. Early indications are that cloud services potentially provide even greater opportunities for better governance, lower risk and better compliance (more about that in future posts). In the meantime, if you want to follow very interesting discussions on Private Clouds, check out EMC’s Chuck Hollis blog here. à By 2011, 50% of companies will be have their production environments virtualized.
So, what do YOU think? How are these forcing functions affecting you, even if you aren’t in a GRC-related role? And if you are, whether it is program management, information governance, risk, security, audit, compliance, performance management, human resources or legal - what else is driving you to stretch the boundaries of your world? How can you better leverage and prepare for the impacts of these shifts? Remember, the better educated you become, the better can respond as these shifts occur, and the better you can add critical value to your organization.