In addition to organizational competencies, specific practices and capabilities leading to better business results and less financial risk, loss, and expense include segmenting and safeguarding customer data, rationalizing policies and control objectives, common procedures and systems, more controls, much more automation, change management, and continuous measurement, among others .
Key recommendations for action
Based on the relationship between the maturity of IT GRC practices among organizations and
the business reward and risk outcomes being experienced by firms at different maturity levels, the key recommendations from the research include actions for senior managers, vice presidents, managers, and directors, as well as recommendations for use within IT operations, IT assurance, and IT audit .
Although the end goal for some firms may be to operate at the most mature levels for IT GRC, others may find this inappropriate . All firms will want to evaluate their specific finan-
cial rewards and risks when deciding which level of IT GRC maturity is desirable, and what
improvements have to be made to achieve their objectives .
For this reason, it is important that managers first assess the maturity of their own organiza-
tion; determine the optimal reward, risk, and expense targets; establish the desired level of
maturity; and identify and implement the improvements needed to achieve their objectives .
After identifying objectives for important business metrics, the GRC CMM enables
organizations to identify the following, based on targeted maturity levels:
• Increases in revenue, profit, and customer retention
• Avoidance or mitigation of financial and operational risk and loss
• Expense reductions for legal and regulatory compliance Practices and capabilities
• Safeguarding of customer data and systems
• Rationalized policies and control objectives
• Common IT procedures and systems
• More controls
• Automation of controls and activities
• Effective change management
• Continuous measurement
Key recommendations
• Use a balanced scorecard or similar tool to improve the delivery of value and the performance results of IT.
• Staff the governance committee from senior business, financial, legal, regulatory, and audit committee members.
• Drive improvements to maturity and business outcomes with a measurable and continuous quality improvement program throughout IT.
• Insist on monthly reporting to drive improvements.
• Improve and automate technology controls to mitigate and avoid financial risk, brand damage, and business disruptions.
• Improve the skills and automate the activities within IT assurance, audit, and risk management.
• Segment and limit, where possible, to reduce exposure and costs.
• Manage change management and prevention to avoid higher financial risks and cost inefficiencies.
• Continuously measure and assess conditions, controls, objectives, and policies to maintain an appropriate balance between reward and risk.
• Practices and capabilities needed to achieve objectives
• Organizational competencies needed to achieve objectives
Improving business results and mitigating financial risk It is important to assess results, both before and after changes to practices, capabilities, and competencies within the organization . Only by measuring before and after will the organization know whether the improvements are sufficient or not .
This simple recipe for Continuous Quality Improvement supplies the backbone for a measurable and integrated IT GRC program within IT that will optimize the balance between reward and risk, as demonstrated by the results being achieved by the most mature organizations .
Improving competencies, practices, and capabilities The capabilities, practices, and competencies directly associated with higher GRC CCM maturity levels provide the opportunity to diagnose specific shortfalls or misaligned activities that a firm may already have implemented
For instance, an organization may have implemented continuous monitoring but may find that its Continuous Quality Improvement program is based on vague or nonexistent metrics that stifle its progress . Or, a firm may find that it has implemented a balanced scorecard for the alignment of value delivered by IT without any of the underlying practices necessary to enhance IT GRC maturity .Some organizations may find that moving from their current state of maturity will require an incremental approach through planned stages . In this case, it is critical to identify the shortfalls against benchmarked practices and capabilities and develop phased plans that are based on priorities to improve specific practices as part of a longer-term plan for improving results .
Assessing the current level of maturity and the desired objective, along with the practices and capabilities needed to improve results, can be accomplished with the assistance of this research report . The tables in Appendix A list specific business outcomes for each maturity level . Similarly, the practices, capabilities, and competencies correlated with each maturity level are listed in these tables . The current state of maturity, desired objectives, and specific practices that might be needed to improve results can also be found in the tables in Appendix A .
In addition, interactive assessment tools at the IT Policy Compliance Group website (www .itpolicycompliance .com) will provide an automated method to assess the current maturity of the organization, the business outcomes for each level of maturity, and the improvements that can be targeted .
To know more click here 2008 Annual Report: IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial Risk.
Other Symantec Resources, Webcasts & White Papers
1. IT Governance, Risk and Compliance: What the best performing firms do in IT to deliver better business results and lower risk
2. Benchmarking IT Risk & Compliance
No comments:
Post a Comment