By George V. Hulme

Holistic is happening. For medical researchers, a holistic approach involves considering the totality of a patient’s biological, psychological and sociological factors. For scientists, the holistic approach involves thinking of biology, sociology and psychology as complex, sometimes chaotic systems. And for CIOs, a holistic approach can help improve risk and compliance efforts by allowing them to manage various areas of risk, including regulatory, financial, strategic, operational and compliance risk.

These new approaches and solutions are needed by CIOs and their companies to gain traction in the area of risk. Further, CIOs need to integrate their compliance, security and governance efforts—the people, policies, processes and technologies— into a unified governance, risk and compliance (GRC) initiative. This holistic GRC solution can help CIOs manage their IT risk efficiently and effectively.

IT solution providers—including suppliers of network management, system management and enterprise resource planning solutions — are developing a broad range of GRC management tools. Their aim: Help CIOs to model controls and procedures, associate those controls with relevant policies and regulations, and enforce compliance across the organization. In this way, both CIOs and business executives can improve their visibility into key compliance risks. They also can determine what supporting evidence is needed to demonstrate compliance with internal policies as well as external regulations.

High Costs
The costs of GRC are substantial. In fact, market watcher AMR Research estimates that U.S. businesses spent nearly $30 billion on GRC in 2007, a nearly 9 percent increase from the previous year. Complying just with Sarbanes-Oxley cost U.S. businesses $6 billion in 2007, AMR estimates.

“The adoption of IT security, financial fraud and regulatory compliance monitoring systems has been proliferating,” says Dennis Chesley, Principal at consultants PricewaterhouseCoopers. “Organizations want to get better at adopting controls, capturing risk and governance information, and tying these systems into other parts of the company.”

That’s true whether the risks are financial, geopolitical, natural disasters, legal or those associated with IT security and against the jeopardy associated with all of these risks, companies have put policies and technologies in place to manage and mitigate risk; identity management systems to make certain that only authorized users will have access to critical IT resources; intrusion detection and prevention systems to protect against or stop breaches; backup and disaster recovery systems; and even records and file management systems as ways to mitigate potential legal liability.

Underlying the challenge of examining risk is the fact that at many companies, information about corporate policy, risk and compliance has been squirreled away in literally hundreds, if not thousands, of documents and spreadsheets. The same degree of ineffective practices may be found in how multiple teams —security, network, applications, internal audit—each review and report on identical systems and controls.

“You don’t want to have workers from the internal audit department, IT security, and the application or infrastructure teams all coming down to conduct assessments on the same sets of systems,” says Richard Ptak, Principal Analyst at industry watchers Ptak, Noel & Associates. “But that’s exactly what is happening. Internal controls and systems are being evaluated multiple times, causing a significant amount of redundant work.”

In the Beginning
Although technology certainly can be enlisted to help cut the costs of risk and compliance, it’s often not where the compliance process starts. Rather, the first step involves quantifying the organization’s level of risk tolerance. Next comes putting into place governance policies based on those tolerances. Then, the key areas of risk that need to be managed are identified. Only then is it time to build the underlying technological controls to help the organization enforce those polices.

“We often begin by helping an organization gain a better understanding of its core principles and risk tolerances,” says PricewaterhouseCoopers’ Chesley. “The idea is to gauge accurately how well its people, processes, information and technologies are aligned so we can better integrate their governance, risk and compliance efforts. Typically, there are multiple groups reporting on the same controls, and their results often don’t reconcile.”

The number of controls a large corporation must manage can be extremely high, and they often extend to every technology deployed. These include controls such as identity and access management, security event managers, disaster recovery and records-management systems. “There’s hardly an area of IT that GRC efforts don’t touch,” says industry analyst Ptak.

CA’s recent introduction of CA GRC Manager makes it possible for CIOs and other IT managers to improve fact-based decision-making and oversight of their entire portfolio of IT risks and controls. It does so by mapping and monitoring related policies, best practices and regulatory compliance requirements within a central repository of risks and controls, and through management of the ongoing execution of policy remediation efforts. “The CA GRC Manager permits companies to centrally view, analyze and manage their IT risks,” says Jacob Lamm, a CA Executive Vice President of the Governance Group. “This transparency accelerates decision-making —and makes it possible to focus first on the most pressing risks.”

Market watcher Ptak calls CA GRC Manager a suite of solutions to execute good governance and management, based on the understanding of risk, good data discovery and the potential for risk. “You have tools that enable you to define policies, apply policies, and implement and monitor the application of those policies,” he adds.

For the State of Colorado Department of Human Services (CDHS), that capability is welcome. The department’s compliance load is a heavy one: It must contend with the federal Health Insurance Portability and Accountability Act (HIPAA), various federal and state regulations, nearly 20 state cyber-security policies and a passel of other IT mandates. As Colorado’s second largest agency, CDHS has an annual operating budget of $1.8 billion, employs more than 5,000 employees and works with thousands of community-based service providers. The department also oversees the state’s 64 county departments of social and human services, including mental health and developmental disability services, the juvenile corrections system, and all state and veterans’ nursing homes.

Within CDHS are numerous IT teams, each specializing in a unique technology management area, such as network security, engineering, messaging, and network and applications. Unfortunately, coordination among these teams is sometimes less than optimal, according to Kelley Eich, Director of Technical Operations in the CDHS’s office of IT services. “At any given moment, if there’s an incident or deviation from our policy, we could have four separate teams taking action, each without knowing what the others are doing,” she explains. “When it comes to effectively and efficiently seeing and managing risks, this creates challenges.”

That’s no small management burden, considering that the agency must contend with 50 rules from HIPAA alone that govern the use of certain IT systems. To better manage these IT policies and their associated risks, CDHS earlier this year licensed CA GRC Manager. “What caught our eye,” Eich says, “is that it comes with pre-populated polices, such as those that relate to our HIPAA mandates. Having those criteria already available helps us to better manage these efforts right out of the box.” Over time, she adds, the CDHS will augment CA GRC Manager with policies, procedures and standards that are specific to its agency and business objectives.

The overall goal, Eich explains, is to streamline risk- and governance-related projects and teams, as well as to aggregate IT policies as they relate to various regulations and internal security and governance policies. “As CA GRC Manager is deployed,” she adds, “we should be able to make sure that our various departments are better focused on risk remediation, and CA GRC Manager should give us a more complete view of our risk posture at any given time.”

Streamlined Savings
The cost savings from streamlining these efforts can be considerable, mainly due to the automation of many processes associated with managing risk. For example, consider a financial services firm that needs to assess a set of its systems for compliance with laws, regulations and internal policies. The execution of such a program could be governed separately by internal IT policies, local and federal regulations, and financial industry regulations, each with a separate set of security and compliance teams. “We often get calls from risk managers or chief operating officers, explaining that their companies are conducting four to five risk and control assessments each quarter,” explains Chesley of PricewaterhouseCoopers. “Most of the assessments seek the same information, and managers want a way to stop the waste and achieve a clearer, easier way to manage these processes. That’s one of the main drivers for these types of solutions.”

GRC solutions can benefit companies in other industries, too. These solutions help compliance managers analyze and report rapidly on multiple regulations and policies, explains analyst Ptak. Also, by providing comprehensive analyses, these solutions can help managers quickly understand their risk profiles. This helps organizations to not only streamline their risk and governance efforts and cut redundant processes, but also to adapt their operations more effectively to constantly changing regulatory requirements.

But even the best technological solutions can’t work alone. CIOs and their staffs also need to change their attitudes toward compliance. Also, many CIOs now seek ways not only to unify the governance, risk and compliance efforts of their staff, but also to use the information to better manage business risks. “Many organizations consider GRC to be a competitive edge,” says analyst Ptak. “They can reduce the costs associated with governance and compliance, and they can more effectively adapt to an ever-changing risk landscape.”

Adds CA’s Lamm: “Companies that deploy effective holisitic governance systems are going to run consistently better than those that don’t.”While he’s talking about IT governance, Lamm is quick to point out that the same is true when it comes to using technology to govern financial, market and many other types of risk. The end goal is a single governance solution for setting and enforcing the organizational policy for risks. For smart CIOs, that’s a safe proposition.

George V. Hulme is a Minneapolis-based freelance writer who has covered business and technology for nearly 20 years.