Top Executives Say GRC Programs Must Better Align to Strategic Priorities to Meet Board Needs
RSA Convenes Top Corporate Leaders in Governance, Risk Management, Security and Compliance at Inaugural RSA Archer GRC Executive Forum; Results Affirm Carnegie Mellon CyLab 2012 Governance Report
RSA, The Security Division of EMC (NYSE: EMC) released key findings from the RSA Archer GRC Executive Forum it hosted recently, where governance, risk and compliance (GRC) leaders from 34 leading corporations discussed enterprise risk management strategies and best practices. A dominant theme from the forum's executive participants was that corporate boards of directors are taking note of GRC demands and are now looking for greater visibility into the risks that could negatively impact their organizations. Corporate boards are also looking for assurances they're basing risk decisions on trusted information—risk assessments validated by multiple sources within their organizations. To provide corporate directors the visibility and trust assurances they're looking for, forum participants said GRC programs must mature from compartmentalized risk efforts, demarcated by function, geography or business unit, to a unified view that facilitates enterprise-wide risk management and compliance.
RSA released a key findings document from the executive forum. The findings affirm the results of the recently released Carnegie Mellon 2012 CyLab Governance Report, which also found rising interest in GRC among corporate boards of directors, as well as increased pressure to gain enterprise-wide views of organizational risk.
Key findings and recommendations from the RSA Archer GRC Executive Forum include:
- Risk Management Rises to a Board-level Concern – Mounting regulatory and other compliance obligations compel corporate leaders to push for heightened visibility into risks facing their organizations. As a result, GRC program executives represented at the forum report they're spending more time reporting to the board on these topics. Further, corporate directors are concerned about the accuracy and integrity of GRC information and seek assurance that the organization is making sound risk management decisions based on trusted, reliable, representative information.
- Aligning GRC Goals to Business Priorities Is a Top Priority – Forum participants observed that business executives view GRC more as a comprehensive risk management program than a specific discipline. Successful GRC program owners are adopting the strategic priorities of their stakeholders, and the associated vocabulary, in describing how their GRC program efforts reinforce successful risk management in their enterprises. One participant noted, "Our executive team understands the issues and challenges when we talk about operational risks, not GRC."
- GRC Programs Must Get a Big-picture View of Risks – GRC program owners at the forum reported risk in their enterprises today is still largely managed in silos. This compartmentalized view makes it hard to make enterprise-wide risk assessments and prioritize mitigation efforts. Many GRC program owners are growing the maturity of their risk programs from a siloed, to a unified approach—a critical stage that one expert characterized as a "make or break" moment for maturing enterprise GRC initiatives.
- Invest in Unifying GRC Processes and Frameworks – Forum participants agreed that time and energy spent aligning organizational stakeholders to a shared framework for describing and assessing risks is a worthwhile investment. When done right, these shared frameworks provide the freedom for individual stakeholders to meet their own risk management needs, serve as a unifying force to take collective action, and enable the rolled-up views demanded by executive leadership.
- Measuring GRC Benefits – GRC program owners said they were under pressure to demonstrate to corporate executives and directors the ROI for their GRC programs. While convinced of the return on their investments, members struggle to quantify the value when the benefits are dispersed across a wide range of stakeholders (in efficiency and improved risk-based decision making) but the costs are centralized and visible.
"As regulatory requirements grow and business risks continue to multiply, GRC becomes more and more challenging, yet more critical to complex enterprises," said Martin Goulet, director, GRC solutions, RSA. "The RSA Archer community is made up of a diverse and dedicated group of GRC professionals who often collaborate to tackle these challenges. This executive forum brought a cross-section of that community together to address pressing GRC issues, as well as share best practices based on real-world situations. This level of sharing is invaluable to both RSA and its customers, and we look forward to continuing this very successful event."
About Forum Participants
RSA Archer GRC Executive Forum participants represented a wide variety of industries, including healthcare, finance, telecommunications, media, and insurance. They come from functions as diverse as corporate compliance, audit, and IT security. Most have at least five years of GRC program executive experience, and several have led multiple enterprise-wide GRC program efforts.
- Download the RSA GRC Executive Forum Key Findings Report
- Download Carnegie Mellon – Governance of Enterprise Security: CyLab 2012 Report
- Download presentation from author, Jody Westby's on 'How Boards & Senior Executives Are Managing Cyber Risks'
- Get more information on the RSA Archer eGRC platform
- Connect with RSA via Twitter, Facebook, YouTube, LinkedIn and the RSA Speaking of Security Blog and Podcast
EMC Corporation is a global leader in enabling businesses and service providers to transform their operations and deliver IT as a service. Fundamental to this transformation is cloud computing. Through innovative products and services, EMC accelerates the journey to cloud computing, helping IT departments to store, manage, protect and analyze their most valuable asset — information — in a more agile, trusted and cost-efficient way. Additional information about EMC can be found at www.EMC.com.
RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world's leading organizations solve their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance and securing virtual and cloud environments.
Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention, Continuous Network Monitoring, and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.EMC.com/RSA.
RSA, The Security Division of EMC
RSA, Archer and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other company and product names may be trademarks of their respective owners.