Photo of three business professionals gathered around a tablet device

The GRC Opportunity

9 Jul 2015 by Howard M Cohen

Service providers can no longer define themselves simply by the technologies they implement, manage or support. With regulatory compliance requirements rising, users’ needs become more complex, and the interaction between them and their technology must be much more precise. Your services must expand into helping the enterprise assure all of its users are always acting to maintain compliance, not only with regulatory acts, but also with corporate policy and procedures.

3 key security measures

Three key areas of focus have emerged to help businesses respond to this need effectively. Since all three must receive appropriate attention for the strategy to be effective, they have been grouped together in the acronym GRC: Governance, Risk Management and Compliance.

Governance – Organizations must carefully and deliberately develop a set of rules and standards by which any and all information collected by the organization is used. Who has access? How it is stored and managed? When and where is it archived? Acceptable reporting mechanisms must be developed. When and how is information destroyed?

Risk management – Careful planning is needed for the electronic and physical security of the data. How is it encrypted, stored and transported? How is access protected? How is the effectiveness of risk management measured?

Compliance – A comprehensive, documented plan for achieving and maintaining compliance with all applicable government regulations is needed. A common mistake is the belief that compliance means the information is secure. Regulatory compliance does not assure full security. Nor does full security assure regulatory compliance. They are two issues that must be addressed separately.

Service solutions – not just software

Start by explaining to your customer that no technology is in itself compliant with any regulatory act. All regulatory acts require an entire organization to establish and maintain compliance. Various technology products contribute to maintaining compliance, but the products themselves are not, by definition, compliant.

Policies, procedures, documentation, cycled testing and other practices must be executed by people on a scheduled basis in order for any organization to achieve and maintain any kind of applicable regulatory compliance.

This means that service providers who include GRC services create several opportunities for themselves while offering significant additional value for their customers.

The automation opportunity

  • More than three quarters of organizations surveyed by Symantec report that they have seen the complexity of their IT infrastructure increase in the past few years.
  • Those who automated 80% or more of their security practices report up to 92% fewer incidents of data loss or theft — and 98% less business downtime as a result of IT failures.

Various data-protection processes are readily automated, contributing to either regulatory compliance or data security and sometimes both. Implementing and maintaining automation not only enhances compliance and security, but additionally simplifies most information governance policies and procedures established by your customer.

The documentation opportunity

Internal information governance and government regulatory compliance each require significant documentation of the effectiveness of many actions taken over time. These actions include recording events, storing information created in various ways, testing information technology systems and services and many more.

There are excellent software products available to support your efforts to help customers confirm these actions and maintain full documentation of their effectiveness. These applications help you organize and routinize the process of surveying all departments on a scheduled basis. They provide dashboards that vividly depict your progress toward full compliance, as well as your readiness for audit. The dashboards can also be used to gauge and evaluate the risk involved in taking any action that involves these assets.

While some larger customers may opt to purchase and operate compliance software themselves, many will prefer to have your trained experts perform all the necessary surveys and reviews on site, to help assure they will pass audits and avoid potential penalties.

The right-hand opportunity

The most valuable asset your customers own is their business data. Your ability to help them maintain close governance over how those assets are used, and what risk those assets are exposed to, establishes you as much more than just a technology advisor. You become a trusted business partner.

Learn more about control compliance suites and how you can build your own GRC practice to add significant, high-margin revenue to your practice, and highly pertinent new value for your customers.