eGRC Strategy & Collaboration Key to Meeting Privacy & Risk Challenges
- New research highlights challenges organizations face meeting eGRC objectives
- Lack of eGRC strategy and enterprise collaboration largest barriers to achieving eGRC goals
- Nearly 90% of respondents believe enabling technologies are essential to meeting eGRC objectives
HOPKINTON, MA. — May 25, 2011 — EMC Corporation (NYSE:EMC), the world leader in information infrastructure solutions, and the Ponemon Institute, LLC – a leader in privacy, data protection and information security research – today released a study that explores the most immediate issues global organizations face in meeting privacy and risk challenges. Respondents representing global financial services, technology, healthcare and pharmaceutical industries identified the largest barriers to meeting these challenges as lack of a defined enterprise governance, risk and compliance (eGRC) strategy and lack of enterprise cooperation and collaboration.
Lack of Common eGRC Strategy
Surveying an active group of more than six thousand eGRC practitioners, the Ponemon study reveals that eGRC continues to emerge as a top C-Suite priority, yet only 20% of organizations have a clearly defined eGRC strategy that pertains to the entire enterprise, and 33% admit they have no eGRC strategy at all.
“Taking an enterprise-wide approach to the governance, risk and compliance by managing information and what that means for all elements of the organization—IT, legal, human resources and all the requisite facets-- is no longer a choice – it’s a strategic imperative,” said Tom Roloff, Chief Operating Officer for EMC Consulting. “It is only through a multi-faceted and integrated view of information sources and requisite policies that organizations can satisfy the growing requirements of corporate boards and regulatory agencies for an integrated, centralized risk and compliance strategy.”
Lack of Collaboration
The study also found that while eGRC responsibilities are rapidly spreading from the IT epicenter out to the operations, finance and legal domains collaboration among and between these critical areas is lagging behind. Only 28% of respondents report that their organizations enjoy frequent collaboration or cooperation among eGRC domains and 12% admit their eGRC functions still operate in silos.
Just how distributed have eGRC activities become? The Ponemon report uncovers that while governance activities are still most likely located in IT, risk management activities are usually managed within the associated domain. Similarly, compliance activities typically reside in their own corporate compliance function while privacy and data protection management is most likely to be located in the legal department. When it comes to ranking the importance of these fundamental eGRC activities, risk management takes first place at 32%, followed by compliance at 27%, governance at 22% and privacy and data protection at 20%.
“Silos are the enemy of an effective eGRC program,” said, Dr. Larry Ponemon, Chairman and Founder, Ponemon Institute for Privacy Research. “These departments deal with related information and business processes around policies, business processes and multiple regulations. Unfortunately, they are not talking to each other which results in a great deal of waste and inconsistency. Without collaboration across functions – the business is at risk.”
Privacy Emerges as eGRC Collaboration Flashpoint
Regardless of their industry, all organizations report that managing privacy regulations by geography and in accordance with country or state laws are a driving factor in their organization’s move to an integrated program that supports IT, Legal, Operations and Finance. Respondents identified their top two privacy challenges as 1) ensuring data shared with third parties will remain safe and secure and 2) complying with all appropriate regulations.
“Privacy and data protection is a particularly pressing issue,” said Dr. Ponemon. “Today these essential privacy management responsibilities are typically split between the legal and IT functions. While the legal department plays a dominant privacy role overall, IT still holds accountability for implementing controls to address privacy regulations. So you can see why the IT and legal teams need to speak the same language and collaborate like never before to reduce enterprise risks.”
Collaboration at Work
“This research highlights collaboration as both a critical need and a growing exposure point in complex organizations,” said Dan Burks, Chief Privacy Officer and Director of Vendor Risk Management of US Bank. “Organizations that get people to talk together about eGRC and collaborate help ensure their program’s success. Developing risk ‘ambassadors’ within each business line has been an enabling factor for collaboration within our organization.”
Policy management, incident response, and compliance monitoring are critical for highly regulated and litigious industries, but frequently organizations outside these industries ignore day-to-day business risks, including using e-mail for communications and employee litigations,” said Jeff Bettencourt, Vice President and General Manager, Information Governance Solutions, EMC. “Organizations that truly understand the critical dependencies across domains and can align policies, processes, and technologies, gain greater visibility and control to more effectively manage risk across the enterprise. This can be a key competitive advantage.”
Looking ahead, nearly 90% of respondents believe enabling technologies are essential or very important to achieving eGRC objectives. The applications that are most likely to be deployed to facilitate eGRC-related activities include risk assessment (81%), policy management (75%), controls assessment (73%), incident response and management (68%), and compliance monitoring (63%).
About EMC's eGRC Portfolio
The EMC eGRC portfolio of technology, business solutions and professional services provides an integrated solution to help organizations manage risk and compliance requirements across the enterprise on a consistent, ongoing basis. To learn more about the EMC eGRC portfolio attend an Active eGRC Seminar at a city near you www.emc.com/egrcseminar.
About the Ponemon Institute
The Ponemon Institute© is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.
EMC Corporation is a global leader in enabling businesses and service providers to transform their operations and deliver IT as a service. Fundamental to this transformation is cloud computing. Through innovative products and services, EMC accelerates the journey to cloud computing, helping IT departments to store, manage, protect and analyze their most valuable asset — information — in a more agile, trusted and cost-efficient way.
EMC, RSA and RSA Archer are registered trademarks of EMC Corporation in the United States and/or other countries. All other product and company names herein may be trademarks of their respective owners.