Linda Tucci, Senior News Writer at SearchCompliance.com recently wrote “the rap against governance, risk and compliance (GRC) software is that the solutions either fall short of effectively managing the complexity of an enterprise’s compliance programs, or are so complex that enterprises never realize the software’s full capability. For compliance officers who are patient enough to start small while thinking big, however, the right GRC software can help put large, complex organizations on the path to Sarbanes-Oxley Act (SOX) compliance nirvana: a risk-based program optimized by automation.”
In the article, Ms. Tucci refers to Tommy Thompson, IT security compliance coordinator at The Williams Cos. Inc. and long-time OpenPages customer. Mr. Thompson has been using OpenPages ITG for nearly four years, taking a tops-down, risk-based approach to managing William’s financial controls, and is now looking to expand to other areas of compliance.
A key challenge in many IT organizations is being able to allocate resources to the right set of problems. Many times, IT managers will take a bottoms-up approach to IT risk and security and implement controls and procedures without any clear link to the key risks in the business. Williams is a great example of why you should consider a tops-down approach to risk management that supports overall corporate objectives and operates within the corporate ERM framework.
To achieve this, your IT risk and compliance solution should provide a way for your IT organization to link IT risk management activities to the key risks in the business to ensure better business performance against corporate objectives and a more efficient use of resources (capital and operating budget).