GRC is Not a Tool But a Business Enabler

Saturday, June 04, 2011

Rahul Neel Mani

F520f65cba281c31e29c857faa651872

Kartik Shahani, Country Manager, RSA, The Security Div of EMC, India & SAARC talks about the state of GRC solutions in India and how organisations need to look at them as a business enabler in a conversation with Varun Aggarwal.

The adoption level of GRC solutions in India is currently quite restricted. What are the sectors that are early adopters for these solutions?

There were several Indian companies that were acquiring global companies and the companies that were acquired had to follow certain laws and regulations in their respective countries.

Indian organisations who’ve acquired many companies in Europe and North America in the last couple of years need to comply with the regulations in those countries. This means that they cannot have multiple standards followed in their organisation and would try and standardise their policies for governance purposes across the enterprise.

The other set of companies that were early adopters of GRC solutions were the BPOs and the KPOs because they had to comply with the laws and standards that were followed in North America and Europe. Therefore they also needed GRC solutions for this.

While the initial adoption for GRC came from these sectors, the BFSI sector in India has also started with regulations and governance policies being mandated. Now from making governance and compliance guidelines, the IT Act has now started penalizing companies for non-compliance.

GRC adoption in the country

Who is actually going to monitor the GRC done by organisations, their effectiveness, what are the penalties if the companies are not able to live up to those compliances and regulations. If these penalties are very small or insignificant, then the adoption of GRC solutions would be impacted. So, while GRC is known to people, the state of implementation of GRC in the country is still a question mark.

So, while everyone understands the benefits of implementing a GRC solution, the fact of the matter is how much budget does an organisation have to invest in GRC implementation. People are looking at a couple of ways to handle this. One of the ways is by looking for point products that meet their requirements. But these are not that are business enablers but just point products.

There are also people who are evaluating the investment into GRC by looking at the penalties of being non-compliant. If the penalties are not huge, they are willing to remain non-compliant.

With regulations from IT Act 2008, SEBI etc coming into force, why aren’t organisations still not taking GRC seriously?

The actual implementation of GRC would depend on various factors. For eg how much of the compliance requirements are actually executable, and how much of it is actually monitored by the regulatory bodies. If a regulatory compliance says that for good governance, organisations should be certain things as against it saying if an organisation doesn’t follow these practices, they’ll be penalties with a certain amount.

Therefore, if heavy penalties are not put in place towards non-compliance of governance practices, people would often defer the implementation owing to the time and money that would go into the project.

If you look at GRC solutions today, they aren’t really cheap. The effectiveness of a GRC solution really means the amount of customisation and changes made within the organisation to meet those compliance requirements.

GRC is not an out of the box solution, which would immediately make you compliant. It is a tool that will allow you to collect information, report to you, help you to make changes in it, put the feedback into the new policy, see how much variance exists between the compliance and the current state of your organisation and based on that the action is taken.

What is RSA doing to make GRC more affordable?

Affordability actually depends on the value addition that comes with a GRC solution. From RSA perspective, we’re trying to show enterprises the various benefits they can get in long term with our GRC solutions. They will get productivity improvements so that they do not require too many people to handle their compliance requirements, they will be able to get the compliance requirements fulfilled in a shorter period of time, therefore that’ll add as a benefit.

There was a large supermarket chain in the US who was taking auditing services from one the Big Fours. The Big Four company used to deploy 300 auditors for a year in 8000 stores of that organisation.

When they shifted to the tools provided by RSA, they were able to complete all these 8000 stores within 60 days with just 10 Auditors instead of the previous 300. Now, the audit turnaround is 60 days from previous 1 year, which means they can now do the audit 6 times in a year in a much more cost effective manner helping the company improve their business processes as well.

That’s what we’re trying to do. People should not look at the return on investment for a GRC implementation in year 1 or year 2. These solutions are there to enable the business rather simply making the organisation compliant.

Can you talk about some of the key benefits that your Archer solution brings to the table? What is the way ahead for GRC?

For large enterprises with hundreds of companies within them, it is virtually impossible to get a single dashboard to see the state of the entire group at once. Our GRC tool, helps solve this problem by fetching information from various sources, to give a consolidated view of your organisation. In most organisation, the data resides in silos.

Therefore, it is very difficult to correlate the data and use it uniformly across the organisation. The Archer solution works on both IT GRC as well as enterprise GRC and using offers various users like the CIO, the CFO, the CMO and the CEO the relevant information that they require. This process drastically reduces the time taken to correlate information and since there is no manual intervention in the process you have a more reliable data.

Archer is built in such a way that the output of the reports cannot be doctored with. The solution complies with all the popular compliances across the world.

Not only in North America and Europe, many Asian countries including India are coming up with newer regulations. As time goes by, the compliance and regulation would go up and it would become imperative for organisations to go for GRC solutions in order to be compliant to all the regulations that they need to be compliant to.

Cross-posted from CTO Forum

Possibly Related Articles:
12486
General
Information Security
RSA Compliance Enterprise Security Regulation GRC Governance
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.