Getting to grips with regulatory compliance
Managing and tracking GRC is increasingly becoming a job for the IT department
More pics ›
As a developing market, the Middle East in general has not been at the forefront of putting in place standards and regulations to govern organisational management and practices. With many companies still even recently reliant on paper-based processes, the concepts of governance, risk and compliance reporting and monitoring have not been within the scope of any apart from the largest organisations.
As an example, in May 2012 Oracle and Accenture did a survey of companies in the UAE with regard to their ability to close, file and report their financial results accurately and on time. Due to inadequate reporting systems, the majority of businesses reported that they still face significant problems with financial reporting. Ninety-two percent of respondents admitted that they have inadequate visibility of reporting processes as compared with 68% globally, while 80% of finance managers reported that they find it difficult to control the quality of financial data across the course of their reporting, highlighting that additional attention should be paid to performance management.
However, due to several factors, the situation is now changing. More and more companies across various sectors are finding that they are obliged to ensure that practices are governed by set standards, rules and policies, and that IT, as the gatekeeper of corporate data, is required to lead the way in being able to track compliance with those standards, provide proof of adherence to regulations, and sound the alarm if behaviour strays from the set path.
The discipline known as Governance Risk and Compliance (GRC) encompasses a range of different areas but generally applies to policies including corporate governance, enterprise risk management (ERM) and corporate compliance with applicable laws and regulations. There is considerable overlap between these functions, and while the discipline generally has to encompass the activities of the organisation as a whole, it is the IT department, legal, and risk management functions that are tending to be given responsibility for management and enforcement of GRC and related policies. From a purely IT perspective, GRC impacts in two areas - namely does the organisation's information technology systems and practices comply with any relevant regulations; and how can IT help track processes across the wider enterprise, to ensure compliance.
There are a number of factors driving adoption of GRC standards and solutions across different verticals. According to Megha Kumar, Research Manager - Software, IDC Middle East and Africa, the finance sector has been a leader in GRC, due to the sensitive nature of its processes, and the international nature of the business and the range of global regulations in place. Telecoms is similarly governed by international ITU regulations.
More generally, she says standards such as ISO gaining ground in sectors like manufacturing and retail.
"A lot of companies want to go with an ISO kind of certification, just so that it puts forward a level of trust, you will see anyone from retailers, to manufacturers to distributors say that they are ISO certified, to show that they have proper processes in place and that they follow international standards. It creates a lot of credibility for them in the market and with customers," she explains.
Dr Tamer Aboualy, CTO IBM Security Services, Middle East and Africa, noted that governments and government organisations are also leading increased attention to GRC issues, in part driven by a desire to apply to higher standards to operations, and in part as a a reaction to security incidents. Local standards for IT security, such as those defined by ADSIC in Abu Dhabi, ISR in Dubai, NICS in Qatar, are emerging as a result.
"Governments are now examining their GRC programs, they have also started to understand risk and quickly work towards mitigation," he says. "Governments are also realising the importance of measuring how industry is managing risk, for example the loss of a sector such as oil & gas, water, or financial services; would negatively impact a countries overall ability to function. It is apparent that a greater engagement and guidance to various verticals should be perused."
In terms of tackling the requirements of GRC, the IT departments role tends to be establishing systems that will monitor processes, alert if activity moves outside of accepted parameters, and carry out discovery/retrieval of stored data to prove compliance or investigate any infractions.
There are a number of vendors that are offering solutions to handle these tasks, both large enterprise IT vendors, and smaller niche players.
Simon Claridge, managing director of Modulo EMEA, which has been offering risk management solutions for 20 years, says the company is seeing "phenomenal" growth in demand for its solutions, particularly in verticals such as banking, oil & gas and transportation. Modulo's Risk Manager solution has been designed as an out-of-the-box GRC solution, to identify, analyse, evaluate and treat risks across the enterprise. Claridge says that its solutions automates key processes related to GRC, and also uses pre-scripted knowledge bases that mean customers can see value delivered within days of implementation.
For larger vendors such as SAP and Oracle, GRC solutions are increasingly becoming integrated with wider enterprise applications, where processes are already automated, and can therefore be monitored under GRC parameters more easily - Paul Devlin, Head of Business Analytics, SAP MENA, says that solutions can be in place in as little as 90 days.
Ease of deployment does not mean that GRC solutions are a straightforward proposition however. There are many factors from the organisational and management side that need to be aligned for successful GRC adoption.
Devlin adds: "Companies need to be clear about what they want to achieve from a GRC solution and its impact across their business. They should work closely with their internal and external auditors and technology partner to define project successes and milestones. Developing in an agile, phased approach with significant business involvement will typically deliver the most benefits. It is best not to drive GRC purely as an IT project. It needs business input."
Companies also need to be clear on what standards they are trying to apply to, especially if they are aiming for compliance with multiple standards across different disciplines. There are other considerations of GRC strategy as well.