It’s now been 17 years since the passage of the Sarbanes-Oxley Act (SOX), which was…
Manual performance of governance, risk, and compliance (GRC) activities is inherently more perilous than using a GRC automation tool. In this three-part series, we will explore the dangers of manual GRC, determine how to evaluate GRC solutions, and cover implementing GRC automation and proving its ROI.
Assessing your current landscape is the first step in understanding how your business could improve its governance, risk, and compliance procedures. By looking at the current risks and costs of your manual efforts, you will be on your way to adopting the right automated solution and making huge efficiency and productivity gains.
Quantifying the business problem through time, effort, and risk
Businesses are required to track bottom-line costs more accurately, with both the competitive pressures of globalization and continued digital disruption in the marketplace more apt to impact the bottom line. Capital expenditures are considered very carefully, usually with justifications and ROI calculations rightly based on direct customer facing benefits – opening new markets, introducing new products or lowering costs.
Once the darling of board rooms for fueling innovation, IT executives increasingly find themselves cast as an overhead expense, not a value-add to the enterprise. Investment in IT too often loses to other enterprise investments.
IT security and GRC risk managers fall even lower on the list of priorities for scarce enterprise investment. While the risks, costs and collective drag on an enterprise of not investing in GRC automation are not always easy to articulate, these costs are real, and if properly explained, can justify investments.
Tedious and manual IT security administration processes and compliance reporting can affect the enterprise in several areas.
Slow user provisioning and compliance reporting processes
IT help desk organizations receive user, change and delete requests in a never ending stream. Too often, routine IT user provisioning processes involve a complex sequence of manual processes. IT staff spend many hours of non-value add time manually processing requests. Manual compliance reporting tasks add to the cycle time for turning around requests. Additional time gets spent tracking down requests that get lost, miss-routed or delayed. That’s why having an automation solution for maintaining ongoing compliance can help your business focus on what’s truly important.
For many companies, it might take a week or more to turn around a new employee add request. Consider the business cost of delaying new employees’ contributions due to slow IT user provisioning processes. What would the benefit be if a new employee could be provisioned in hours, not days?
Complex, manual IT user provisioning processes undermine the businesses’ trust in IT. Slow turn around and lost requests are simply poor customer service, causing friction and lost productivity.
Manual compliance reporting also slows turnaround time for IT’s servicing of auditor requests. Manual reports tend to be deemed less reliable than automated reporting, causing auditors to dig deeper and drive ever more expansive reporting requirements.
High priced IT staff performing low value work
IT processes tend to expand over time. With each new compliance and reporting requirement, new applications and new integrations being rolled-out, straightforward processes like user provisioning can become a labyrinth of manual tasks with numerous and cumbersome hand-offs. Not only does inefficiency and cycle time increase but also overall GRC risk. Complex, manual operations processes are no picnic for IT professionals either.
It is said a seasoned IT professional is worth their weight in gold. Despite the economic recession, IT professionals still command top wages and are not easy to replace. With lean staffing, many IT organizations are only “one person deep” in many critical roles.
Good IT professionals pride themselves on driving important initiatives to go-live for the benefit of the enterprise. Tedious, routine operational tasks are a morale killer for these professionals. Unfortunately, with lean staffing, the percentage of time spent on operational tasks versus value-add initiatives has tipped too far towards operations. Complex manual operations for user and role provisioning take time, and chasing down errors takes even more time.
Manual compliance reporting can be “death by screen shot” with many enterprises reporting hundreds of IT staff hours spent compiling periodic reports.
The result is enterprises spending far too much money on routine IT operations by paying high priced staff to do low value work.
There is a human cost, as well. IT professionals don’t feel gratified performing routine, low-value work. Turnover increases and productivity suffers.
What if automated user provisioning could reduce your cost by half?
Time and effort for manual compliance is rising
Every year, IT audits are getting broader and digging deeper. Hours spent by IT security professionals to produce manual compliance reports continue to increase. Too often, these long, tedious hours spent in IT don’t show up as glaring budget overrun dollars. Hard working IT staff often silently just put in extra hours completing manual compliance reports.
The less obvious, more insidious cost of increasing compliance reporting is less time being spent on IT initiatives and more on non-value add operations. The costs include slower time to value for IT business initiatives and less agility to respond to new opportunities.
Increasing GRC risk of adverse findings
Thinly staffed IT organizations often heroically struggle to keep up with the constant stream of provisioning requests and increasing compliance requirements. With so much time and focus spent on simply keeping up, the chances of genuine risk becoming a problem to the enterprise increase. Good auditors can find and rightly report adverse findings related to those areas of increasing risk.
The costs in terms of loss of shareholder confidence and goodwill become board-level concerns quickly. The finding of a significant deficiency cannot be ignored and can drive expensive, reactionary remediation.
There is a significant risk to enterprises in which IT organizations have lost their critical capacity to support innovation. While IT has lost some of its reputation for driving increases in productivity and competitive advantage, real opportunities exist for IT-led transformational change.
Some IT organizations report that 80-90% of their time is spent simply keeping the lights on, performing routine operational work. Investing in GRC automation can change the balance towards freeing up talented staff to propel the enterprise, not impede it.
The tipping point – when to perform a GRC risk assessment
Enterprises live with business problems all the time. Most are relatively easy to surpass, often with the day to day heroics of dedicated staff.
A tipping point occurs when two things happen:
- The impact of a business problem increases to the point where it becomes a significant risk or impediment to achieving business objectives.
- An individual decides “enough is enough” and drives a project in the organization to resolve the business problem.
The challenge with pursuing adoption of GRC automation solutions is that management often does not view such investments as “customer facing” or having a direct bearing to the bottom line. “How will it help us sell more paint?” is the common question for one CFO of a consumer products manufacturer. Such perceptions can slow or derail initiatives to solve the business problems described above.
The costs of living with cumbersome, manual IT user provisioning and compliance reporting can be measured and quantified. A business case can be developed that articulates how many dollars are lost from the enterprise in terms of the following:
- Delays in provisioning correct IT user IDs and roles impact time to value for new employees or those changing roles. How much does it cost for every hour an employee waits for IT user and role provisioning?
- What is the cost for each IT user and role provisioning? What percentage of high value IT staff’s time is spent performing routine provisioning?
- How many hours of high value IT staff’s time is spent on compliance reporting? Are the hours increasing?
- Are you “flying blind” in terms of IT risk? How comfortable are you really with IT security?
- Do you have a backlog in IT for supporting new enterprise initiatives? Is the backlog increasing?
The business case for adopting GRC automation tools like ControlPanelGRC may also highlight the business benefits of the investment. Not only would the investment save money, but enterprise objectives would also be facilitated:
- Faster IT user and role provisioning means new or changing employees can make an impact sooner, increasing enterprise agility.
- Automation of routine IT user and role provisioning means high value IT staff are spending less time on operational tasks, allowing more time for innovation and driving initiatives.
- Great compliance automation solutions not only increase operational effectiveness but also ease compliance reporting. Audit trails of day to day changes are automatically recorded. Compliance reporting becomes running reports on demand, as required of data that has already been captured.
- Increases in audit scrutiny can be offset by automation, breaking the cycle of increasing audit workload with fewer resources.
- With GRC automation, basic IT risks (e.g. segregation of duties violations, termination of user IDs) can be mitigated via automation with a full audit trail. High value IT staff is freed to address more insidious forms of GRC risk – areas your auditors are more concerned about.
- Tangible reduction in routine IT operational workload via GRC automation means limited IT staff can have more capacity to take on more projects and better service the changing needs of the business, increasing enterprise agility.
Once you have assessed the unnecessary risks and extra costs manual processes demand, the next big step is to compare various GRC automation solutions that best fit your business environment and needs. In part two of this series, we will explore how to identify, evaluate, and build the business case for an automated GRC tool.