Although businesses are reliant on governance, risk and compliance platforms, most enterprises view the traditional mix of GRC systems as inflexible, slow, and incapable of delivering on the promise of automating governance and security risk management processes.
A recent white paper commissioned by Agiliance, called ‘Beyond GRC: SRM and the Move to Integrated Risk Management’, revealed that 78% of enterprises surveyed are in the process of, or planning to replace GRC systems with advanced integrated risk management (IRM) platforms.
They are doing this in order to increase operational efficiency and audit accuracy, streamline remediation, gain improved visibility into enterprise risk posture, and ultimately make better investment decisions.
Jayson O’Reilly, director of sales and innovation at DRS, says the rise of IRM is being driven by several factors. “A tough economic environment and the growing sophistication of today’s threats are playing a role in businesses wanting to improve their risk management posture.”
He says risk management has to date, been based upon the disciplines of governance risk management (GRM) conducted by business, policy, and compliance teams, and security risk management (SRM) administered by IT operations and information security.
Governance, risk, and compliance (GRC) is more than likely conducted by many different teams within an entity, such as a governance and compliance team, and the IT security team. However, as these teams are disparate, it is hard for a business to make unified decisions based on both teams, and take action that is in the company’s best interest.
Concurrently, organisations are battling with multiple disconnected tools, security skills shortages, manual processes, and many other problems that are a spanner in the works of risk mitigation. These are some of the drivers behind businesses integrating their business risk management and security risk management initiatives, says O’Reilly.
It is his view that an integrated risk management platform can provide a single view of information and comprehensive reporting for the entire businesses. “Moreover, it can gather and collate data from disparate security tools, making use of the businesses’ existing investments. In this way, it can plug the visibility gaps by uncovering meaningful relationships among the data collected from the different tools.”
He says such a platform can manage a far larger volume of data, and perform risk analysis at greater speeds than security staff could hope to achieve. “This lowers the company’s dependence on manual processes or additional staff.”
The benefits, he says, are numerous, and include a single, context-aware platform that manages both governance and security risks. “It also offers higher scalability as it relates to users, data, processes, and multi-geographic availability.”
More flexibility as it relates to customisation, context-awareness, and expandability is also a benefit, as is faster time-to-value and a lower total cost of ownership.
O’Reilly stresses that IRM is still in its infancy, and its payoff is tricky to measure. “However, as these technologies grow in popularity, and become increasingly pervasive, this is changing. Businesses realise they need to optimise their investments and streamline operational efficiency. Integrated risk management helps to achieve this, while overcoming governance and security risk management challenges at the same time.
An IRM platform also vastly lessens the time needed to review policy controls and produce risk profiles. “This could result in savings of millions of dollars in overheads, as well as shareholder confidence.”
At the end of the day, says O’Reilly, while businesses can schedule audits, they cannot do the same with cyber-attacks, and understanding their risk posture is their only hope. “To do this, and to gain insight, they move from assessing compliance only, to taking vulnerabilities, threats and the potential business impact under consideration. These three factors together, provide the most comprehensive and holistic view of risk.”