When we start to see real shifts in the world, whether it is a real change in human perception, say, the universe is expanding/or not, or something a little more close to home like the adoption of new mobile computing technologies, as human beings we naturally seek to understand underlying drivers. What is forcing this shift? Is it one or two things, or a ‘perfect storm’ of many factors coming together? How is this going to affect/benefit me, my career, and my organization?
Here I am going to outline five ‘forcing functions’ that seem to be the ‘biggies’ underlying the Big Shift in GRC from a static, point in time set of ill-aligned processes to a unified, near-real-time set of processes EMBEDDED in our business, information and infrastructure management systems. I’m very interested in your reaction to this – what other forcing functions are you seeing, and how would you prioritize these?
Forcing Function #1 Information Explosion. What is taking place in the world of information today and the impact this is having not only on the way we manage information but also on the way we think about scaling GRC, is probably the biggest driver, IMHO.
Study after study (see this great study on the Digital Universe) has said that if we look at this digital world, even with a slowdown, we're going to create 40X more information this year than last year and that as the economy rebounds, that percentage will further increase.
By 2011, the digital universe will be 10x the size it was in 2006. 70% of information is created by individuals, 95% of what they are creating is unstructured, and 85% of that will end up managed and secured and accessible through big large entities, whether it would be an external cloud, or internal cloud, or the hybrid of that, which EMC is calling the Private Cloud. à Your “digital shadow” is larger than the digital information you actively create about yourself.
All this information needs to be scrutinized and classified for its ‘GRC profile’ and then treated appropriately to ensure compliance with business and regulatory requirements. This process has to be automated; it’s just too big a challenge to attempt manually.
Forcing Function #2 Regulatory Avalanche. It’s hard to get really good numbers on this but all the evidence points to more and more regulation, on more and more aspects of what we do – from business practices, to information management to the delivery of IT products and services. Not only in the US, but globally. Managing the intricacies, dependencies and conflicts is a horrendous challenge for a large, globally entity. àYour organization’s “regulatory shadow” grows larger as the business expands into new markets.
Forcing Function #3 Demand for Near-real time Transparency. This is an interesting and maybe more subtle driver. Most organizations are relying more on more on key-whatever’s to manage their business. With the evolution of business intelligence, business activity and technology infrastructure monitoring systems, management is getting this transparency, even though in many ways it is still Swiss cheese. The basic point though is: Key Performance Indicators (KPI), which are used to answer the question: “Are we achieving our desired levels of performance?”, Key Risk Indicators (KRI) which are used to answer the question: “How is our risk profile changing and is it within our desired tolerance levels?” and Key Control Indicators (KCI) which are used to answer the question:”Are our organization’s internal controls effective? Are we ‘in control’?” are management’s first stop on the transparency quest. Key Risk Indicators (KRIs) are tightly related to Key Performance Indicators (KPIs). Instead of thinking of KPI measuring performance, think of a KPI as really just an indicator that the objective is at risk. They are really the same thing. See previous post on Dreaming Nirvana: Beyond Compliance into Risk Analysis.
à Your organization’s “Performance Scorecard” is converging with your GRC profile.
Forcing Function #4 Adoption of the Hyper-extended, Virtual Enterprise. This is a huge driver, fueled by the global economy and technologies where suppliers, partners and customers have deep and intimate ‘electronic reach’ into each other’s eco-systems. Not to mention 2.0 social media impacts. This adoption accelerates the scope and complexity of GRC. à Your organization’s potential for digital reach is exponentially expanding.
Forcing Function #5 Cloudburst of Virtualization.
Cloud infrastructures, which support elastic scalability and leverage virtualized resources, are increasingly provided as a service. (Here’s a good short interview on Cloud as a Service – CaaS). The good news is that cloud users need not have knowledge of, expertise in, or control over the technology infrastructure in the "cloud" that supports them. The bad news is that we need to ensure that cloud providers are focused concretely on GRC in the Cloud. Early indications are that cloud services potentially provide even greater opportunities for better governance, lower risk and better compliance (more about that in future posts). In the meantime, if you want to follow very interesting discussions on Private Clouds, check out EMC’s Chuck Hollis blog here. à By 2011, 50% of companies will be have their production environments virtualized.
So, what do YOU think? How are these forcing functions affecting you, even if you aren’t in a GRC-related role? And if you are, whether it is program management, information governance, risk, security, audit, compliance, performance management, human resources or legal - what else is driving you to stretch the boundaries of your world? How can you better leverage and prepare for the impacts of these shifts? Remember, the better educated you become, the better can respond as these shifts occur, and the better you can add critical value to your organization.
I believe that it's possible to lose sight of business goals when one focuses too much on the minutiae. How much of the 70% of information created by individuals is truly germane to the overall business? I've seen people request reports which merely gather dust, never read or analyzed. Obviously the information contained therein was not essential to the regular operation of the business.
So while I appreciate that detailed information can be essential when addressing topics such as compliance, in many cases the level of detail requested actually interferes with running the core business. More information isn't necessarily a good thing if it's not contributing to the bottom line.
Posted by: Phil | 09/20/2009 at 10:47 AM
I agree with you that addressing Governance, Risk and Compliance as an integrated GRC makes sense. I think GRC together, makes it big enough that it should get attention even in SMB (small and medium sized businesses) sized companies.
I also agree that your five functions are all important but I think a bigger risk facing many companies today, especially small companies – say annual revenues of $5B and less is the risk they face in maintaining or achieving any competitive advantage. It wasn’t very long ago that access to information and access to the latest technologies gave companies the ability to achieve or maintain a competitive advantage or to provide more to their customers and set themselves apart. Today technology and information are more and more commodities and as a commodity it becomes all about price, which becomes all about cost.
The list of companies veering toward bankrupsy is scary. Will GRC together have the stature and breadth inside organizations to really help?
Posted by: Vern | 09/20/2009 at 10:20 PM
72dck6hjui
Posted by: Yo Delmar | 09/22/2009 at 01:09 PM
Vern's comment about competitive advantage is very interesting... as experts have long extolled it as core to the business and highest up the priority ladder relative to management attention and investment, at least in the most enlightened and often most successful organizations. On an intuitive level I also agree that information and access as we know it, appears now to be more of a commodity which by definition is more context and cost related. However research indicates just the opposite may apply here, in the disruptive environment as described.
For example, an organization that enables itself to fully virtualize, that goes through the process of aligning IT to the business and as such able to get ahead of and use information, is can we say, and my vernacular may be off, more efficient and agile by definition? If this is the case, it seems to be that those organizations who have transformed themselves in this regard then will have competitive advantage against the less agile competitors that have not taken these measures, at least until they also take these steps.
And then to use the Chasm metaphor, if that is the case, one could again argue that the lag times of delaying such transformation puts organizations that choose to wait at risk of getting access to resources, which tend to be extremely limited (and much more expensive) once markets take off and tipping points or tornado conditions apply.
This dynamic then adds a perhaps surprising competitive advantage dimension to GRC, along with the other benefits noted.
Posted by: Randy | 09/29/2009 at 09:26 PM