Mitigating financial risk

SOX, HIPAA, Basel II, CobIT – the alphabet soup of industry and government regulations regarding information security seems to get bigger each year. For today’s enterprises, meeting the requirements of a variety of technical standards, IT governance frameworks, and laws related to security and administration has become a considerable challenge.

Business units, IT and legal are constantly tasked with improving efficiency and each year they are asked to “do more with less.” Compliance is the thorn in the side of enterprises – both large and small. Ernst & Young recognises regulatory and compliance risk as the greatest strategic challenge facing leading global businesses in 2008 (“Strategic Business Risk 2008 – the Top 10 Risks for Business,” November 2007).

Channel partners play an instrumental role in helping customers comply with external regulations, internal company policies, and industry standards. IT departments and their channel partners have taken a central role in this process and are charged with providing a holistic view of risk and compliance across the entire organisation.

IT Risk and Compliance

IT Governance, Risk and Compliance (IT GRC) is about striking an appropriate balance between business reward and risk and encompasses the delivery of greater business value from IT strategy, investment and alignment and conformance with policies of the organisation and its external legal and regulatory compliance mandates.

Primary benchmark research conducted by the IT Policy Compliance Group shows that the way to improve business results and reduce financial risk, loss and expense is to increase or enhance the competencies, practices and capabilities governing the use and disposition of IT resources. The report, which incorporates responses from more than 2600 global organisations, measures the impact that improvements to data protection, regulatory compliance and IT service level resiliency have had on business results, including customer satisfaction, customer retention, revenue, expenses and profits.

The raw scores from the report clearly show that firms with better IT GRC results are enjoying much better performance when it comes to satisfying customers, retaining customers, and growing revenues and profits, than all other organisations. Based on the evidence, from least mature to most mature, the top organisational functions that make the most difference to improving IT GRC maturity include senior management, managers and directors in IT, legal counsel and the audit committee. Businesses with the most mature IT GRC practices showed 17 percent higher revenues, 14 percent higher profits, 18 percent higher customer satisfaction rates, 17 percent higher customer retention levels, 96 percent lower financial losses from the loss or theft of customer data, are 50 times less likely to have customer data stolen or lost and spent 50 percent less on regulatory compliance annually.

Data loss prevention

Financial loss due to a data loss or theft is not a question of if, but when. Firms that have a publicly reported data loss or theft can count on losing money. The probability of making front page headlines for data loss or theft is once every three years or sooner for companies that lag in compliance. Compared with their not-so-compliant counterparts, compliance leaders significantly decrease their odds to once every 42 years or later.

One of most striking findings from the research is the correlation between the loss of sensitive data and regulatory compliance results: firms that excel at protecting sensitive data also perform well on regulatory compliance audits. Almost all (96 percent) of the organisations with the least loss of sensitive data are the exact same organisations with the fewest regulatory compliance deficiencies that must be corrected to pass regulatory audits. In contrast, the majority (64 percent) of the organisations with the most loss of sensitive data are the same organisations with the largest number of regulatory compliance deficiencies.

Action recommendations

To improve business results, reduce risk, loss and expense, organisations need to increase or enhance their IT GRC competencies and practices. Based on the report, the IT Policy Compliance Group recommends organisations take the following steps to improve IT GRC:

• Staff the governance committee from senior business, financial, legal, regulatory and audit committee members

• Use a Balanced Scorecard, or similar tool, to improve the delivery of value and the performance results of IT

• Drive improvements to maturity and business outcomes with measurable and continuous quality improvement program throughout IT

• Insist on monthly reporting to drive improvements

• Improve and automate technology controls to mitigate and avoid financial risk, brand damage and business disruptions

• Improve the skills and automate the activities within IT assurance, audit and risk management

• Segment and limit, where possible, to reduce exposure and costs

• Manage change management and prevention to avoid higher financial risk and cost inefficiencies

• Continuously measure/assess conditions, controls, objectives and policy to maintain an appropriate balance between reward and risk