Keeping tabs of changing standards and a constant eye on the legal situation and maintaining traceable records of meeting national and international standards on top of all that: International companies face a tide of IT security and compliance requirements. Transparency delivers systematic governance, risk and compliance (GRC) management.
As the result of a data leak at the beginning of 2016, a number of banks including Postbank and ING Diba had to replace thousands of their private clients’ credit cards. According to the FAZ newspaper, the credit card data had “gone missing” from the IT service provider and not the banks. Even if the problem occurred with the supplier, responsibility for it could not be outsourced. Under the regulatory requirements, the banks are responsible – being obliged to inspect their service providers regularly, for example. “Cases like this show how multi-layered the requirements that supervisory authorities and stakeholders impose on business process and product security have become,” says Wolfgang Surrey - Governance, Risk and Compliance (GRC) expert at TÜV Rheinland. GRC covers the three major areas for action for successful and responsible corporate management. Aims are central management of monitoring activities and the efficient use of resources. Governance means corporate management in line with external and internal requirements and supported by the appropriate management systems. Risk (risk management) is “the active and purposeful approach to events constituting potential deviations from the norm”. Compliance stands for adherence to internal and external regulatory requirements and provisions. Just as banks do, operators of critical infrastructures such as water and energy suppliers and telecoms companies are subject to the IT Security Act in Germany, and the Data Protection Basic Regulation applies within the European Union. Other regulatory requirements apply outside Europe. They are all aimed at preventing cyber-attacks or minimising any resulting damage.
Early identification of vulnerabilities
The fact that end customers such as those of the bank referred to above are directly affected by inadequate security measures is just the tip of the iceberg, as this also entails enormous financial losses and loss of image for the businesses affected. More often, it is auditors and corporate advisers who reveal areas of potential vulnerability. Companies often don’t react until this happens, although GRC expert Surrey recommends a proactive approach: “The implementation of GRC management also acts as an early-warning system, helping to identify areas for action and carry out tasks more efficiently and therefore more cost effectively.” The biggest cost savings are provided by a consistent database. In a multinational corporate structure, for example, special software replaces a “loose-leaf collection” of Office and SharePoint solutions. In the worst-case scenario, this is managed by various employees in different countries in non-integrated software environments.
Setting realistic milestones
As an alternative to this, we have GRC automation with custom in-house software. This prevents any potential reporting inconsistencies through the use of centralised master data. This is also the major benefit compared to standalone solutions based on Excel or Outlook. “The use of GRC software is not a must for all companies but, somewhere along the line, complex international structures can no longer be managed by standard IT resources alone,” says Wolfgang Surrey. The introduction of a professional software solution is particularly advisable for companies that, due to the nature of their business model, either operate in a highly regulated environment or, due to their global activity, are faced with international regulatory requirements, where any compliance failures meet with severe punishment. Without audit-compliant risk management, there is the threat of huge claims for compensation in the worst instances. Having worked with its subsidiary OpenSky on over 300 successful projects, TÜV Rheinland is now a specialist in the RSA Archer GRC software platform. “The consultancy skills of the implementation partner are at least as important as the software that is to be introduced,” stresses Surrey. “We support the entire process chain, defining a strategy together and setting realistic goals. This is because GRC management can only be as good as its long-term practical implementation.” So the expert calls on companies that have so far never or only casually addressed GRC risk to set realistic milestones. If goals are too ambitious, the complexity of GRC management can lead to disappointing results in some situations. A good way to start is often to identify one or two high-priority issues (quick wins), such as the implementation of a system for measuring supply performance, for example. “Rapidly measurable successes will open the door in most companies so that the issue can be dealt with more comprehensively,” says Surrey, adding: “Covering all of GRC is like running a marathon. You need to know the route to the finishing line from the outset but exploding off the starting line like a sprinter is counter-productive.”