In this podcast, Chris McClean, analyst at Cambridge, Mass.-based Forrester Research Inc., discusses how increasingly complex compliance reporting requirements force companies to further examine their risk management and compliance processes. Risk, compliance and security continue to influence one another, and this dynamic has created additional scrutiny around purchasing decisions, company-wide processes and third-party relationships, McClean says.
SearchCompliance.com: What are some of the trends you've been noticing in the governance, risk and compliance (GRC) tools market, especially in regards to compliance reporting requirement features?
Chris McClean: Well, a lot of trends here -- there are lots of things that we could certainly talk about when it comes to tools. One of the things that we've been noticing over the course of the last several years is just the sheer number of tools available. We have some that are relatively well known in this space, but there are dozens if not scores of vendors in this space that are relevant for a lot of different types of implementation. Really, they have different strengths and weaknesses. You see some that are very small, very lightweight and relatively light as far as the cost savings go. We see lots of different options out there. A lot of large companies are starting to get more into this phase, through acquisitions and through building their own technologies as well.
When it comes down to compliance reporting requirements, they're getting more difficult for just about every industry, just about every organization. So, we are seeing that a much wider variety of organizations is coming to us asking questions about GRC tools. It used to be, of course, the large financial services companies, large insurance companies as well. But we're starting to see a lot more small and mid-size organizations that have, frankly, a lot of very complex reporting requirements saying, 'We need something to help us out as well.' So, they're turning to different GRC tools, too.
How has this increased the use of third parties to meet compliance and risk management mandates affected how companies approach GRC?
Well, one of the interesting things is it's actually forcing them to have more, I guess, formal conversations about how they conduct their risk and compliance processes. Every company in the world, even the mom-and-pop shop around the corner, they do risk management and then they do compliance, to a certain extent.
For these organizations that are starting to have very difficult and challenging requirements around risk management and compliance, when they do turn to a third party, in terms of a tool to actually help them facilitate these processes -- facilitate the risk assessment process to control assessment process, compliance reporting and so forth -- it does actually force them to do some planning ahead of time to say, "What exactly is our process? What are the different workflow steps? Who are the people involved? What are their roles or responsibilities? What is the framework that we use toward discussing risk or for talking about our controls and our control objectives?"
One of the things that I've noticed that I think is really helpful, even if you don't eventually go and use one of these technologies, is sitting down with all the different stakeholders and having those discussions, and settling as an organization, "How do we address these things?" It's a really, really helpful trend that I've been seeing, and it's certainly one that has been helpful for those companies.
Does this increased use of third parties increase risk for companies in any way? And, if so, how?
Well, I would say, not just in this domain, but any time there's a reliance on a third party, there is, by definition, going to be an increase in risk. That's true of just about any kind of decision you can make in business. To get some sort of additional benefit, you are also going to expose yourself to more risk as well. You are sharing your information, you're sharing your infrastructure, you're relying on a third party for your delivery of services or your performance of certain tasks and objectives. Any time you do that, you are expanding your risk exposure.
Certainly, in this case, turning to a third party to manage any kind of process to support you in any kind of process, you have to make sure that you have controls in place for that as well -- making sure that you understand what your contract language should look like. If that third party is doing anything related to revenue generation, to financial reporting, to handling any data that you would consider sensitive, there has to be controls on that. There are certainly benefits: You get a lot of cost savings, you get a lot of performance benefits. But with those benefits, you also have to manage the additional risks that come along with it.
Play the full podcast
Listen to the full podcast to learn more about how compliance reporting is influencing risk management and security.
Download for later:
- Internet Explorer: Right Click > Save Target As
- Firefox: Right Click > Save Link As
This was first published in May 2012