Select Page

Rethink your approach to IT risk and compliance

John Verver

John Verver

CPA CA, CISA, CMC

When was the last time you made changes to your compliance processes? Here are four steps you can take to start working smarter now.

Rapidly-evolving business practices include relationships with an ever-increasing range of suppliers and IT risks, specifically those involving cybersecurity breaches, are some of the largest risk issues facing organizations right now. Just look at what happens when a hacker manages to get hold of millions of records of customer confidential data—share prices fall, brand names are tarnished, customers take their business elsewhere, and CIOs are fired.

Inevitably, leaders of IT, security, and risk management pay a lot of attention to the major cybersecurity risks and assign resources accordingly. But it’s not just about the major IT risks. The challenge that many IT risk and compliance leaders face is what to do about everything else. Things like:

  1. What’s the best way to deal with the huge number of regulatory requirements and compliance issues that impact IT?
  2. How do you make sure that your organization is compliant with all the requirements within frameworks, standards, and regulations like COSO, ISO/IEC, COBIT 5, HIPAA, PCI, and GDPR?
  3. How do you manage to make the complex web of compliance activities actually work together seamlessly?

What we’re doing now isn’t working

If you work in IT, you’re likely under enormous pressure to make sure your organization is compliant and protected from the risks of cyber failure. You’re also expected to get this done as efficiently as possible without involving massive amounts of resources.

There are a few challenges here. One is that IT regulations, standards, and compliance requirements are constantly evolving—so are the underlying IT systems themselves. In multinational and multi-business corporations, teams are so big that silos can develop. Each team is busy working to address a local set of requirements without communicating with other siloed teams. This results in duplicate efforts, or worse, gaps in compliance when teams assume the other is responsible for a piece.

Surprisingly, many IT compliance teams are still using homegrown spreadsheet-based systems, or outdated application software to manage compliance processes.

“At some point, IT compliance leaders should take a step back from the ongoing tactical challenges and consider if there’s a better approach to doing things.”

It’s time for a smarter approach

The right mix of technology and best practices can transform IT compliance processes—both in terms of reducing risks, and being more efficient.

Here are a few steps you can take to start working smarter:

1. Use software to link risks to compliance requirements

Purpose-built software can help you better understand and manage the relationships between risks and compliance requirements. Some specifically support mapping and linking risks to requirements in an integrated way.

2. Automate necessary processes

Save time and streamline work by automating two key areas in risk management:

  • continuous control and activity testing.
  • dealing with alerts and control exceptions (as well as managing questionnaires, IT control self-assessments, and attestation/certifications.)

Automating these areas will make your team more efficient and it frees up their time to focus on other critical tasks.

3. Integrate IT risk and compliance into an enterprise-wide risk management process

Make sure the complexity and degree of risks are adequately addressed and seen by everyone in your business. Connecting IT risks into the bigger organizational picture means IT is not thought of in isolation, but in the context of overall risks and compliance issues faced by the organization.

4. Work better together

To work smarter, you’ll need to get more functional integration from anyone involved in multiple areas of IT compliance. Breaking down those silos isn’t easy but is necessary. That can be done by bringing everyone together in a single software platform, to work off the the same data, look at the same reports, and work towards the same goals.

Look at the IT compliance process itself

No one solution is always the perfect fit for all IT compliance functions. The important thing is to apply best practices in objective monitoring and assessment, not just to compliance risks and requirements, but to the overall IT compliance process itself to really evaluate how well it’s working.

White paper:

KRI Basics for IT Governance

You’ll learn:

  • The different kinds of indicators, what they measure, their purpose, and audience
  • How KRIs fit into a greater IT risk management program
  • How to select your own KRIs, including a worksheet
  • How to ensure your KRI program is scalable and sustainable.

Download white paper

Related Articles

Find us in the Gartner Magic Quadrant

Gartner names Galvanize (formerly ACL and Rsam)* a Leader in the 2019 Magic Quadrant for IT Risk Management

Learn what you should be looking for when selecting an ITRM solution.

Download the report