I’ve been having conversations with customers and prospects about the value of an integrated risk management platform. (You can substitute ‘GRC’ for ‘integrated risk management’ if you’ve been reading any analyst covering the space recently.) There are lots of value drivers, but to date most CIOs haven’t embraced the logic yet and are opting instead to buy for very specific solutions areas. There are some exceptions, and on Friday I had a conversation with one of those exceptions, and he made a compelling case for why an IT organization should work with the business on an integrated control environment.
The specific case this customer made was around the need to manage the General Computing Controls associated with Sarbanes-Oxley. The finance side of the company had been the buyer of their SOX solution, and they, of course, look at the world through accounts and processes. Their SOX solution was configured accordingly, and all of their controls roll up to processes associated with accounts. Unfortunately, the IT organization doesn’t look at the world that way, and, according to this customer, “There’s nowhere in this model to stick the IT controls in a rational way.” The IT organization would much rather organize the GCCs by ISO 17799 or some other framework and associate each control to the appropriate risk in the finance model. In this way, the IT organization can leverage a control management structure already in place, without duplicating any effort.
This is the most basic value proposition for an integrated risk management platform. And many companies are seeing big savings as the number of regulations they are trying to manage increase. Sure, you can probably manage SOX in a bunch of spreadsheets, but try adding a couple more regs and reporting and policy management, and you’re very quickly into the realm of a purpose-built solution. The interesting problem is that that the cost of siloed solutions doesn’t fall fully in the office of the CIO. If it did, we would have many more CIO converts.