Select Page

Rethink your approach to IT risk & compliance

John Verver

John Verver

CPA CA, CISA, CMC

When was the last time you made changes to your compliance processes? Here are four steps you can take to start working smarter now.

Rapidly evolving business practices and an ever-increasing range of IT risks—particularly cybersecurity breaches-are some of the largest risks organizations face. Look what happens when a hacker gets hold of millions of confidential customer records. Share prices fall, brand names become tarnished, customers leave, and CIOs are fired.

IT, security, and risk management leaders pay a lot of attention to the major cybersecurity risks. But it’s not just about the major IT risks. The challenge that many IT risk and compliance leaders face is what to do about everything else. This includes things like:

  1. What’s the best way to deal with the huge number of regulatory requirements and compliance issues that impact IT?
  2. How do you ensure your organization is compliant with all the requirements within frameworks, standards, and regulations like COSO, ISO/IEC, COBIT 5, HIPAA, PCI, and GDPR?
  3. How do you make the complex web of compliance activities work together seamlessly?

What we’re doing now isn’t working

If you work in IT, you’re likely under enormous pressure to make sure your organization is compliant and protected from cyber risks. You’re also expected to get this done as efficiently as possible without involving massive amounts of resources.

There are a few challenges here. One is that IT regulations, standards, and compliance requirements are constantly evolving. In multinational and multi-business corporations, teams are so big that silos easily develop. Each team is busy working to address a local set of requirements, without communicating with other teams. This results in duplicated efforts, or worse, compliance gaps.

Surprisingly, many IT compliance teams are still using homegrown spreadsheet-based systems, or outdated application software to manage compliance processes, rather than dedicated IT compliance software.

“At some point, IT compliance leaders should take a step back from the ongoing tactical challenges and consider if there’s a better approach to doing things.”

It’s time to rethink IT risk & compliance

The right combination of IT GRC software and best practices can transform IT compliance processes—reducing risks and increasing efficiencies.

Here are a few steps you can take to start working smarter:

1. Use software to link risks to compliance requirements

Purpose-built software can help you better understand and manage the relationships between risks and compliance requirements. Some specifically support mapping and linking risks to requirements in an integrated way.

2. Automate necessary processes

Save time and streamline work by automating two key areas in risk management:

  • Continuous control and activity testing.
  • Dealing with alerts and control exceptions (as well as managing questionnaires, IT control self-assessments, and attestation/certifications).

Automating these areas will make your team more efficient and it frees up their time to focus on other critical tasks.

3. Integrate IT risk & compliance into an enterprise-wide risk management process

Make sure the complexity and degree of risks are adequately addressed and seen by everyone in your business. Connecting IT risks into the bigger organizational picture means IT is not thought of in isolation, but in the context of overall risks and compliance issues faced by the organization.

4. Work better together

To work smarter, you’ll need to get more functional integration from anyone involved in multiple areas of IT compliance. Breaking down those silos isn’t easy but is necessary. That can be done by bringing everyone together in a single GRC software platform, to work off the the same data, look at the same reports, and work towards the same goals.

Look at the IT compliance process itself

No one solution is always the perfect fit for all IT compliance functions. The important thing is to apply best practices in objective monitoring and assessment, not just to compliance risks and requirements, but to the overall IT compliance process itself to really evaluate how well it’s working.

White paper:

KRI basics for IT governance

You’ll learn:

  • The different kinds of indicators, what they measure, their purpose, and audience.
  • How KRIs fit into a greater IT risk management program.
  • How to select your own KRIs, including a worksheet.
  • How to ensure your KRI program is scalable and sustainable.

Download white paper

Related Articles

Find us in Gartner MQ for IT Risk Management

Gartner names Galvanize (formerly ACL and Rsam)* a Leader in the 2019 Magic Quadrant for IT Risk Management

Learn what you should be looking for when selecting an ITRM solution.

Download the report