I attended a session on implementing IT GRC at CA World this morning, hosted by Patrice Walker, Director of Risk Management for Jefferson Wells, and Steve Bartolini, Senior Director of IT Compliance at CA.
These speakers have extensive experience in actually implementing IT GRC processes within large companies, and they presented some interesting guidelines and tips for ensuring the success of a GRC effort.
Patrice emphasized the importance of communication and relationships in making GRC successful. GRC is primarily a business challenge that impacts groups across the enterprise, so a more narrow technology-focused effort will likely fail. Relationships need to be built, and communication across all groups must be effecitve.
In addition, the business needs to see GRC as a continual process, not a discrete project with a defined end date. Also, GRC is a solution that can have significant business benefits. If it is viewed purely as a cost item, the true benefits that can be derived from it will be elusive.
Steve was responsible for a major revamping of CA's compliance infrastructure, so his insights and experiences were interesting. He said that early SOX efforts were hampered by the following:
- Seven groups shared compliance and audit responsibility
- There was no consolidated view of controls
- There were over 1000 IT controls in use
- There were different test procedures for the same controls (so, one test might be viewed as "pass" by one audit group and "fail" by another)
- All compliance processes were manual
- There was no unified view of enterprise risk
Steve led an effort to completely restructure the entire IT GRC process, and his results were impressive. By using a centralized GRC solution (not surprisingly, he chose CA GRC Manager), his group achieved:
- 30% reduction in controls
- 50% less testing costs
- Easier accomodation of new regulations
- Real-time visibility into issues and risks
Steve summarized the key recommendations for GRC projects as follows:
- Align stakeholders
- Standardize practices and terminology
- Develop sound business processes before leveraging IT
- Pilot GRC with one group before widespread deployment