Live from CA World: Customers Share Insights on GRC Best Practices

Published: November 17, 2008 | No Comments

By: Sumner Blount

CA's Sumner Blount reports live from CA World on "Best Practices in Complying with Industry-Specific Regulations" customer panel.

I attended the first GRC session today at CA World on “Best Practices in Complying with Industry-Specific Regulations.” 

The panelists were all risk and/or compliance managers from a retailer, a public health agency, an insurance company, and an energy/utilities consulting firm.

Each company had faced some interesting compliance problems, many of them common across these companies. 

In particular, one manager was hired the day after her retailer suffered a credit card breach, so she had her work cut out for her.

It was interesting how common many of their challenges were.  In particular, many mentioned the benefit of having a “single source of truth,” where all their risk and compliance information was stored.  In one panelist’s words, GRC helped them “get everything in one place.”  When asked how many spreadsheets existed that were tracking compliance, their responses were 15, 25, and “more than I can count.”  So, everyone was very pleased with the simplification that having a centralized repository helped create.

But, they emphasized the importance of having a governance structure to ensure that information silos didn’t creep in, even after the GRC information had been centralized.  There was agreement that GRC doesn’t prevent the use of spreadsheets, but it helps to ensure that those spreadsheets are used for reporting, rather than for transactions.   In other words, the information is known to be a temporary copy of the original, “good” data, not a replacement for it.

Although these panelists all had different regulatory requirements (ranging from HIPAA to PCI to NERC (energy), everyone agreed that using a GRC approach had allowed them to rationalize controls across regulations, so when a new one came along, creating controls to meet new requirements was vastly simpler than before their GRC implementation.  In those days, they generally had to create a separate team to deal with each new regulation as it came along.

The last point of agreement was the need for companies to view GRC as helping to solve a business problem, not just an IT problem.  Although IT is clearly a key player, the impact and benefits of unified GRC go across the entire organization, helping to simplify and reduce the costs of many areas of the business, not just IT.

There is a lot of interest here in our first-ever GRC track at CA World.  Watch our blog for more observations on key trends and insights as the event continues.

Tags: best practices, CAWorld, common challenges, Compliance, customers, GRC, regulations

Leave a Comment