Loss or theft of sensitive data and IT GRC maturity

The loss or theft of sensitive data is another of several IT GRC business risk indicators tracked by the benchmarks . The population distribution for these metrics show:
1 . Twenty percent of the population has the worst data protection results, with more than 12 losses or thefts of sensitive data each year .
2 . Sixty-eight percent of the population has normative data protection results, with between 3 and 12 losses or thefts of sensitive data annually .
3 . Twelve percent of the population has the best data protection results, with fewer than 3 losses or thefts of sensitive data each year .

Data theft or loss and IT GRC maturity correlation: Same firms dominate In addition to the population distribution, the set of organizations that compose each of the major areas (least mature, normative, and most mature) is almost identical, with slight variations . For example, 75 percent of the firms with the least mature IT GRC results are the same firms with the largest and most frequent losses or thefts of sensitive data . Almost all—92 percent—of the firms with middling IT GRC results are the same firms with somewhere between 3 and 12 losses or thefts of sensitive data each year . And, nearly all—96 percent—of the firms with the best IT GRC results are the exact same firms with the fewest and least frequent losses or thefts of sensitive data annually.

The alignment of the findings raises some interesting questions, such as:

• Is information more secure because of better regulatory compliance practices?

• Do better data protection practices deliver better customer satisfaction, retention, revenue, and profits?

• Are more mature results for IT GRC related to better business results, better data protection, and regulatory compliance results?

Regulatory compliance deficiencies and IT GRC maturity

Almost all—93 percent—of the firms with middling IT GRC results are the same firms with somewhere between 3 and 12 audit deficiencies that must be corrected to pass audit . And, nearly all—97 percent—of the firms with the best IT GRC results are the same firms with the least number of regulatory audit deficiencies that must be corrected to pass audit .

Business downtime from IT service disruptions

Very similar results are posted for business disruptions due to IT service disruptions, many of which are due to IT security events . Roughly 20 percent of all firms suffer the highest levels of downtime: more than 80 hours annually . Another 68 percent are operating somewhere in the middle, with between 2 and 80 hours of downtime each year due to IT disruptions . And, only 12 percent are fortunate enough to have business operations halted for 2 hours or less each year due to IT disruptions . Business downtime and IT GRC maturity correlation: Same firms dominate The majority—80 percent—of organizations with the least business downtime from IT service disruptions are the same firms with the least data loss or theft and the fewest regulatory compliance deficiencies to correct . A majority—63 percent—of the firms with the most stagnant business results are the same firms with the most business downtime from IT disruptions, the largest number of regulatory compliance deficiencies, and the most loss of sensitive data . Lastly, 78 percent of the firms with annual hours lost to IT service disruptions are the same firms with normative results for all of the metrics.



The alignment of the findings raises an interesting question: What are the IT GRC practices that translate into improved business results, including higher revenue, better profits, better customer retention, and improvements in IT service reliability, as well as better regulatory compliance results and less frequent loss of sensitive data?


To know more details 2008 Annual Report: IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial Risk

Compliance Webcast and Video

IT Governance, Risk and Compliance: What the best performing firms do in IT to deliver better business results and lower risk

Benchmarking IT Risk & Compliance

The business impact of IT GRC maturity

IT GRC maturity covered by this research report is based upon the following:

1 .Primary research results conducted with thousands of organizations

2 . The practices and capabilities directly related to business rewards and risks
experienced by these firms

3 .The practices and capabilities associated with each level of reward and risk
The result is a maturity matrix that is based upon empirical evidence

The descriptions of the maturity levels for GRC in this report are similar to and borrow
from much previous research, including contributions made by supporting members
of the IT Policy Compliance Group, including the Computer Security Institute, the
Institute of Internal Auditors, ISACA, the IT Governance Institute, Protiviti, and
Symantec.

However, after the scale and descriptions of the maturity levels, the findings contained
in this report differ markedly from available maturity models in three principal ways,
as follows:

1 .The findings are focused exclusively on IT GRC .

2 . The maturity described by the report is directly linked to financial results and risks
from primary research benchmarks .

3 . The practices and capabilities are directly related to business outcomes at each
maturity level, based on primary research benchmarks .

There are many different maturity models available . Most provide a way to assess practices and capabilities needed to improve results for a specific purpose, along with a roadmap for evaluating current and desired future states . The maturity relationships contained in this report rely on benchmark findings and publicly available data for business outcomes, financial risks, and business risk indicators throughout the entire spectrum, from one end to the other . If a result, a practice or a capability is not grounded in the reality of actual experience, it is not contained in the report or the GRC CMM .

There are direct relationships between the maturity of IT GRC practices and capabilities, and the business results—positive and negative—being experienced by organizations . The primary IT GRC metrics tracked by the benchmarks include customer satisfaction, customer retention, revenue, profit, financial loss and the occurrence of such losses after the loss or theft of customer data, business disruptions leading to financial losses that are directly related to IT service disruptions, and the number of regulatory compliance deficiencies that must be corrected to pass audit and that are costing the organization more, or less, money to sustain regulatory audit results . Results from the benchmarks consistently show a normal distribution of results for these metrics, from the worst business results to the best, from the worst financial losses to the best, from the most business disruptions to the least, and from the most difficulty with regulatory audit to the least . Consistently, within and across all of the benchmarks, the population with the worst results is 20 percent of the population of firms participating in the benchmarks, and those firms with the best results number 12 percent of the population . In between these two ends of the spectrum lies a majority of the population, 68 percent, with normative results: between the worst and the best .

This consistently normal distribution of results is accompanied by consistent research
findings related to a number of factors, including:

• Actions being taken to improve results

• Competencies and capabilities to take these actions

• Practices implemented by organizations to take these actions

The consistency in business outcomes, aligned with consistent findings in the actions, competencies, capabilities, and practices forms the basis for the GRC CMM being covered in this annual report, focusing on IT GRC maturity .

Across more than 2,600 separate organizations, the findings show that roughly two in ten organizations are operating with worst business results and the highest business risks . The findings also show that a little more than one in ten organizations are posting the best business results and the least financial risk . In between these two are a majority of firms, with neither the best business results nor the worst financial losses.

Each of the metrics measured by the benchmarks shows results that are consistently
repeated, including business results, financial risk from data loss or theft, business dis-
ruptions, and the experience that organizations are having with regulatory compliance .

Business results: Customers, revenues, expenses, and profits The most recent benchmarks measure the impact that improvements to data protection, regulatory compliance, and IT service level resiliency have had on business results, including customer satisfaction, customer retention, revenue, expenses, and profits . Tracked on a 10-point scale and measured by percentage changes, the results show the same population distribution:

• Twenty percent of organizations have an overall score of 6 .37 for these five business
results, on the high-end of "no impact ."

• Sixty-eight percent of firms have an overall score of 6 .86 for these five business
results, on the low-end of a "slight increase ."

• Twelve percent of organizations have an overall score of 7 .40, in the middle of the
range for "slight increase ."

The raw scores clearly show that firms with better IT GRC results are enjoying much better results when it comes to satisfying customers, retaining customers, and growing revenues and profits than all other organizations.

Although there is a slight improvement among all firms, the results show clearly that the most mature firms are experiencing much better business results . Unfortunately, the average scores across these performance domains do not show the gulf separating the results between the organizations with the least and most mature IT GRC profiles . The percentage changes and relative scores provide much greater insight into the contribution to business results being achieved by firms with the most mature IT GRC practices .
Business results: Relative to the norm Whether normalized to the mean scores for each business metric or measured directly from percentage changes that occurred for organizations, the change in value for customer satisfaction, customer retention, revenues, expenses, and profits shows a swing that ranges from nearly negative 10 percent on the low side among the least mature to nearly positive 10 percent on the high side being experienced by most mature firms,
matching raw scores from other portions of the benchmarks .



Although posting results that are on the high end of "no impact," the majority of firms operating as least mature are experiencing results that are 7 .4 percent less than that of the firms operating at the IT GRC norm for all business metrics .

The most mature firms, those posting results in the middle of "slight increase" for all business metrics, are experiencing results that are averaging 7 .6 percent more than the firms operating at the norm for all business metrics .

The majority of firms—those operating at IT GRC norm—are not experiencing the more
dramatic differences in revenues, expenses, profits, customer satisfaction, or customer
retention being posted by the firms with the most, or least, mature IT GRC profiles,
practices, competencies, and capabilities .


To know more details
2008 Annual Report: IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial Risk

Compliance Webcast and Video

IT Governance, Risk and Compliance: What the best performing firms do in IT to deliver better business results and lower risk

Benchmarking IT Risk & Compliance

What is IT GRC?

Simply, IT GRC encompasses the practices for delivering the following: 1 .Greater business value from IT strategy, investment and alignment 2 .Significantly reduced business and financial risk from the use of IT 3 . Conformance with policies of the organization and its external legal and regulatory compliance mandates While some of these practices involve continuous improvement to quality, others involve practices and capabilities that are known to be effective, along with objectives for what the organization wants to achieve . IT GRC energizes the entire organization to imagine what it can achieve, establishes methods for achieving their objectives, and demonstrates the practices that are proven to work for minimizing business and financial risk . Fundamentally, IT GRC is about striking an appropriate balance between business reward and risk, enabling an organization to more effectively anticipate and manage business risk while more effectively delivering value for the organization

Safely managing the speed of IT
Much like a team trying to win an automobile race, an organization may choose to press the accelerator pedal of IT usage and change to the floor . But, when road condi- tions, fuel remaining in the tank, tire conditions, brakes, and drivers change, or when drivers are not paying attention, accidents are more likely to occur .

Objectives of organizations cannot be achieved when IT change does not keep pace with changing business conditions . Similarly, when the pace of IT change or use is faster, accidents are more likely . IT GRC involves the practices and procedures imple- mented to: • Govern the investment and alignment of IT strategies and resources • Manage risks associated with the introduction, use, and disposition of IT resources • Manage compliance with company policy, regulatory, and legal requirements Like the driver of an automobile, experience begets greater maturity, enabling some organizations to accelerate past competitors with less worry .

Key Recommendations and Functionality of IT GRC among the most mature - Improving Business Results and Mitigating Financial Risk.

Practices and capabilities
In addition to organizational competencies, specific practices and capabilities leading to better business results and less financial risk, loss, and expense include segmenting and safeguarding customer data, rationalizing policies and control objectives, common procedures and systems, more controls, much more automation, change management, and continuous measurement, among others .

Key recommendations for action

Based on the relationship between the maturity of IT GRC practices among organizations and
the business reward and risk outcomes being experienced by firms at different maturity levels, the key recommendations from the research include actions for senior managers, vice presidents, managers, and directors, as well as recommendations for use within IT operations, IT assurance, and IT audit .

Although the end goal for some firms may be to operate at the most mature levels for IT GRC, others may find this inappropriate . All firms will want to evaluate their specific finan-
cial rewards and risks when deciding which level of IT GRC maturity is desirable, and what
improvements have to be made to achieve their objectives .

For this reason, it is important that managers first assess the maturity of their own organiza-
tion; determine the optimal reward, risk, and expense targets; establish the desired level of
maturity; and identify and implement the improvements needed to achieve their objectives .
After identifying objectives for important business metrics, the GRC CMM enables
organizations to identify the following, based on targeted maturity levels:

• Increases in revenue, profit, and customer retention

• Avoidance or mitigation of financial and operational risk and loss

• Expense reductions for legal and regulatory compliance Practices and capabilities

• Safeguarding of customer data and systems

• Rationalized policies and control objectives

• Common IT procedures and systems

• More controls

• Automation of controls and activities

• Effective change management

• Continuous measurement

Key recommendations

• Use a balanced scorecard or similar tool to improve the delivery of value and the performance results of IT.

• Staff the governance committee from senior business, financial, legal, regulatory, and audit committee members.

• Drive improvements to maturity and business outcomes with a measurable and continuous quality improvement program throughout IT.

• Insist on monthly reporting to drive improvements.

• Improve and automate technology controls to mitigate and avoid financial risk, brand damage, and business disruptions.

• Improve the skills and automate the activities within IT assurance, audit, and risk management.

• Segment and limit, where possible, to reduce exposure and costs.

• Manage change management and prevention to avoid higher financial risks and cost inefficiencies.

• Continuously measure and assess conditions, controls, objectives, and policies to maintain an appropriate balance between reward and risk.

• Practices and capabilities needed to achieve objectives

• Organizational competencies needed to achieve objectives

Improving business results and mitigating financial risk It is important to assess results, both before and after changes to practices, capabilities, and competencies within the organization . Only by measuring before and after will the organization know whether the improvements are sufficient or not .

This simple recipe for Continuous Quality Improvement supplies the backbone for a measurable and integrated IT GRC program within IT that will optimize the balance between reward and risk, as demonstrated by the results being achieved by the most mature organizations .
Improving competencies, practices, and capabilities The capabilities, practices, and competencies directly associated with higher GRC CCM maturity levels provide the opportunity to diagnose specific shortfalls or misaligned activities that a firm may already have implemented

For instance, an organization may have implemented continuous monitoring but may find that its Continuous Quality Improvement program is based on vague or nonexistent metrics that stifle its progress . Or, a firm may find that it has implemented a balanced scorecard for the alignment of value delivered by IT without any of the underlying practices necessary to enhance IT GRC maturity .

Some organizations may find that moving from their current state of maturity will require an incremental approach through planned stages . In this case, it is critical to identify the shortfalls against benchmarked practices and capabilities and develop phased plans that are based on priorities to improve specific practices as part of a longer-term plan for improving results .

Assessing the current level of maturity and the desired objective, along with the practices and capabilities needed to improve results, can be accomplished with the assistance of this research report . The tables in Appendix A list specific business outcomes for each maturity level . Similarly, the practices, capabilities, and competencies correlated with each maturity level are listed in these tables . The current state of maturity, desired objectives, and specific practices that might be needed to improve results can also be found in the tables in Appendix A .

In addition, interactive assessment tools at the IT Policy Compliance Group website (www .itpolicycompliance .com) will provide an automated method to assess the current maturity of the organization, the business outcomes for each level of maturity, and the improvements that can be targeted .


To know more click here 2008 Annual Report: IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial Risk.

Other Symantec Resources, Webcasts & White Papers

1. IT Governance, Risk and Compliance: What the best performing firms do in IT to deliver better business results and lower risk

2. Benchmarking IT Risk & Compliance

IT GRC among the most mature - Improving Business Results and Mitigating Financial Risk.

IT GRC among the most mature

Marked by a focus on operational excellence, firms with the most mature IT GRC profiles have established an integrated approach to managing risk and reward within the IT function and across the entire organization . Among these firms, senior managers in IT are employing the balanced scorecard to:

1 . Regulate reward and risk decisions impacting the organization
2 . Establish policies and objectives for IT
3 . Institute a learning and growth culture that includes continuous quality
improvement within the IT function




Within the IT function, and across legal, audit, internal controls, and business lines, the management of objectives for business reward and risk are being achieved with continuous quality improvement, control objectives, frequent measurement and reporting, common procedures, and high levels of automation, all complemented by IT service level objectives and contracts with IT vendors . Within the IT operations function, the focus is on common IT procedures, more automated controls, continuous measurement, and diligent IT change management and prevention procedures .

Marked by the use of Six Sigma among some firms and simpler Continuous Quality Improvement cycles among many others, the most mature organizations establish a focus on operational excellence within IT that reflects results back into the objectives established and improved through the use of a balanced scorecard . Among these firms, the hallmark of the approach is: Make it easy to understand, easy to implement, and continuously improved .

The Continuous Quality Improvement effort for the governance of IT and the balancing of reward and risk associated with the use of IT takes place at all levels within IT, and across the organization, among the most mature organizations .

An empirical IT GRC capability maturity model

Primary benchmark research conducted by the IT Policy Compliance Group during the past two years has resulted in a GRC Capability Maturity Model (GRC CMM) with specific practices, competencies, and capabilities associated with each maturity level . This fact-based GRC Capability Maturity Model can be used to assess current maturity levels and quantify the business outcomes associated with each maturity level, as well as identify desired business outcomes and the capabilities, practices, and competencies needed to improve results .

The scale employed for the GRC CMM borrows from prior research, including significant contributions made by ISACA and the IT Governance Institute . Against this scale, the business results, financial losses, financial risks, business disruptions, and regulatory compliance experience of more than 2,600 firms have been mapped, from worst (level 1) to best (level 5) results .

The competencies, capabilities, and practices associated with each maturity level in the GRC CMM are those of the firms with specific business results at each level . This basis for the practices, capabilities, and competencies in the GRC CCM delivers empirical insight into what is working and not working, based upon primary research and facts, not hypothesis .

Implications and analysis

The way to improve business results and to reduce risk, loss, and expense is to increase or enhance the IT GRC competencies, practices, and capabilities governing the business rewards and risks associated with the use and disposition of IT . While most organizations will need to improve results, operating at the highest maturity level may be inappropriate for some firms . For some, the desired objective may be to operate at level 4 .5 or 4 .0 on the GRC CMM maturity scale . As a result, improving the balance between business reward and risk for a specific organization is going to be a journey that must be taken relative to the industry within which it competes .

Organizational competencies

The organizational competencies implemented by the most mature firms include leadership by
IT, legal, audit and finance functions; employee training and a culture of compliance; improvements to specific practices and capabilities within IT operations; IT assurance and audit; and a continuous quality improvement effort .

Organizational competencies
• IT, legal, internal audit, and finance leadership
• Employee training and a culture
of compliance
• Improvements to IT risk assess-
ments, data protection, IT audit,
risk, and compliance practices
and capabilities
• Adjustments to spending in IT to
support needed capabilities
• A continuous quality improvement
program for IT GRC
• An integrated IT GRC program
These are the hallmarks of an integrated IT GRC program being implemented by the
most mature firms .

To know more click here 2008 Annual Report: IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial Risk

Compliance Webcasts & Videos

IT Governance, Risk and Compliance: What the best performing firms do in IT to deliver better business results and lower risk

Benchmarking IT Risk & Compliance

Executive summary - 2008 Annual Report: IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial Risk.

Managing the value delivered by IT is traditionally associated with managing change
to business procedures and applications that directly impact customer retention, sales,revenues, profits, and expenses.

Although valid, this view as the sole way to measure the value of IT is under siege as more organizations experience increasing loss or theft of customer data and endure the fallout from these events, including customer defections, revenue losses, declines in public capitalization, increases in expenses, and short-term profit declines. Not limited to managing and protecting customer data, IT is being challenged to maintain nearly 100 percent uptime to avoid business disruptions while cost-effectively responding to numerous legal requests, statutes, and regulatory audits.

In today’s global economy, the livelihood of the organization is linked to how well the IT function manages the availability, integrity, and confidence of the information and IT systems used to operate core business procedures. Whether it is protecting information or meeting legal and regulatory requirements, the challenge confronting IT managers in an increasingly interconnected world means managing business opportunity and risk simultaneously.

The most recent research conducted by the IT Policy Compliance Group shows that improvements to data protection and compliance are paying big dividends among firms with the most mature governance, risk management, and compliance management practices.

These include:
• Consistently higher revenues than all
other firms
• Much higher profits than all others
• Better customer retention rates
• Dramatically lower financial risks and losses
from the loss or theft of customer data
• Significantly reduced financial impact
from business disruptions caused by
IT disruptions
• Much lower spending on regulatory audit
Unfortunately, only slightly more than one in ten firms are enjoying the extraordinary business benefits associated with these most mature practices.

In contrast, about seven in ten organizations are experiencing business results that are half of what the leading firms deliver while also posting financial losses that are much higher. Moreover, most of these firms are overspending on regulatory compliance due to high use of manual procedures and less mature practices.

The worst performers, about two in ten organizations, are experiencing much lower
business results than all other firms, much higher financial losses, and much more
difficulty with regulatory and legal mandates.

What is striking from the research is the organizations with best business results are the same firms with the most mature practices. The converse is also true: the organizations with the worst business results are the same firms with the least mature practices. Defining IT GRC broadly as (1) the management of value delivered to the organization by IT; (2) the management of risk associated with the use and disposition of IT resources; and (3) the management of compliance with corporate policies, legal statutes, and regulatory audits, this annual report shines a spotlight on the competencies, capabilities, and practices that are most responsible for influencing and impacting business rewards and risks.

IT GRC, business results, and GRC capability maturity Simply put, the more mature the practices for managing reward and risk, the better the business results of the organization and the lower the financial risks. Conversely, the less mature the IT practices, the worse the business results and financial losses
(see Figure 1).

Firms with the most mature IT GRC practices experience, on average, 8.5 percent more
revenue than those operating in the middle of the normative range. Compared to the
least mature, the most mature firms are experiencing revenues that are 17 percent
higher. Similar disparity in results for expenses in IT, profits for the firm, customer
satisfaction, and customer retention show that the maturity of IT GRC practices for
managing reward and risk has a direct impact on the organization.




Figure 1. Operating results and IT GRC maturity
Source: IT Policy Compliance Group, 2008

To know more click here 2008 Annual Report: IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial Risk.

Other Symantec Resources, Webcasts & White Papers