“Non-Compliant”… the words that no organization wants to hear. Your hands start to get a bit sweaty and your pulse starts to climb. Unfortunately, the damage has most likely already been done, and it could very well be game over – and not just for you, for the entire Enterprise. Truth be told, by the time the majority of CIOs, CEOs, Board Members or any other stakeholders see or hear those little words, it’s probably just too late.
Take a scan of any internal and external compliance environment, and I can guarantee you the picture that gets painted is one of complexity, resource intensity and dynamism. Being in business today is not something to be taken lightly, irrespective of what industry you’re in or the size of your entity. And we’re not only talking compliance to legislative prescripts, like in the case of Sarbanes Oxley (SOX), which come with criminal and punitive implications. Compliance needs come from a variety of sources including non-regulatory, both from within the Enterprise where Organizational Policies are typically the driver, and from the macro or market environs, for example in the Payment Card industry, with their Payment Card Industry Data Security Standard (PCI-DSS).
As much as compliance is mandated though, one must also acknowledge there is a large and expanding proportion of compliance that is elective, with increasing numbers of businesses seeing it as critical for good governance, risk management and ultimately contributing to the growth and sustainability of the organization. And in the age of information technology, with IT and compliance integral to the organization of today, it comes as no surprise that IT GRC is getting a lot of daylight.
Compliance is, or at least should be, strategic to any contemporary Enterprise. So whether it’s a legal, regulatory, industry or other compliance requirement, I think we can all agree that the ship really has sailed if you find out after the fact that you’re non-compliant… Maybe your business loses its licence, maybe it’s a big deal that goes down the tubes, or maybe it’s a fine of a million bucks. Whatever the consequences, big or small, there’s no doubt they are negative.
But we’re in the 21st century now – we don’t need to wait until the auditor submits his quarterly or annual report, the accountant his monthly presentation or the supervisor his weekly exceptions memo… highlighting where we were non-compliant. Why should you have to wait for the alarm bells to sound when the fire’s already smoking? Well you could have. Stakeholders of tomorrow demand to know where they are non-compliant now as it happens, not were… and even more so, what and where the risk of non-compliance will be in the future. Serendipitously, while compliance has become equally more challenging and necessary (for Enterprises) on its path of evolution, so too has there been an exponential (re)evolution of information technology and the Internet… perhaps arguably now more commonly branded the Internet of Things (IoT). Getting a view of what’s happening as it happens and even before it happens is no longer a pipe dream, it’s a reality!
The emergence of IT GRC, and the convergence of technologies and tools in big data analytics, business intelligence and the Cloud, have taken us from a state of historical reporting to real-time monitoring and control of the Enterprise, and beyond. It may be a cliché to say ‘moving from reactive to proactive’, but in the world of everything real-time, it’s still as apt and appropriate as ever.
Visualize the IT Manager who, on receiving an immediate compliance red alert from a staging server following pre Go Live deployment of software updates to their global databases, pulls the plug and saves the organization hundreds of thousands of penalty dollars.
Or the Financial Accountant who on seeing an amber compliance alert on their in-house dashboard monitoring their journal cycles and GL postings, makes an immediate change to their internal controls to prevent potential SOX infringements.
Not to mention the Audit, Risk, Governance and Compliance board committee who was saved when their organization’s real-time system alerted them to a change in business critical national regulations effecting one of their regional operating entities in EMEA.
There was a time when Enterprise and IT Governance, Risk (Management) and Compliance were managed as separate silos in most organizations. But with the advent of the integrated IT GRC approach, that all changed for the better. There was also a time when a change in legislation, regulation or standard was communicated only by post, many weeks after its effective date, and often never reaching its intended recipients. But now we can actively monitor the sources of record (truth) for any changes. And so too was there a time when businesses couldn’t get up to date information on their business activities, good or bad, and relied on ‘old data’ from static reporting to inform them of where they had gone wrong, and importantly, were non-compliant. But that was yesterday.
When it comes to the future of compliance, it’s all about real-time. Real-time means better governance, better risk management and better compliance. Whether your Enterprise wants to reduce the risk of non-compliance and the potential exposure / liabilities it brings, improve its governance over the business as a whole by measuring compliance with its most important policies, ensure ongoing alignment to all essential standards, regulations and legislation, or simply just improve its compliance – isn’t it about time you went real time? The clock’s already ticking… IT GRC, Real Time, Real Value!