IT governance best practices are critical for business success

The IT Policy Compliance Group offers some best practices for IT governance, risk and compliance, or IT GRC

The CIO-level business angle on the latest tech

Every year, the Society for Information Management conducts a survey to determine the top issues of CIOs from every major industry and from all sizes of companies. In 2006, a new concern popped up on the top 10 list: IT governance. 

The timing of this issue making the list is not surprising; it closely follows the forced compliance with the Sarbanes-Oxley Act, as well as other regulations such as HIPAA (Compare Network Auditing and Compliance products).

“SOX” was enacted in 2002 in response to the numerous corporate and accounting scandals of the day. SOX spurred an increased focus on corporate governance, risk and compliance (GRC) with laws and regulations concerned with business oversight. GRC encompasses the people, processes and technology that organizations invest in to comply with regulations and manage risk as part of running the company effectively and ethically.

To put it another way, GRC connects the dots between the regulations and mandates that touch almost every organization today.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Every year, the Society for Information Management conducts a survey to determine the top issues of CIOs from every major industry and from all sizes of companies. In 2006, a new concern popped up on the top 10 list: IT governance. 

The timing of this issue making the list is not surprising; it closely follows the forced compliance with the Sarbanes-Oxley Act, as well as other regulations such as HIPAA (Compare Network Auditing and Compliance products).

“SOX” was enacted in 2002 in response to the numerous corporate and accounting scandals of the day. SOX spurred an increased focus on corporate governance, risk and compliance (GRC) with laws and regulations concerned with business oversight. GRC encompasses the people, processes and technology that organizations invest in to comply with regulations and manage risk as part of running the company effectively and ethically.

To put it another way, GRC connects the dots between the regulations and mandates that touch almost every organization today.

Information technology governance, risk and compliance, or IT GRC, is the offspring of GRC. IT GRC augments and complements GRC by addressing the unique role that IT plays in organizations today. IT GRC helps to ensure that IT supports the needs of an organization while also mitigating the risks associated with IT. This is crucial, given that the livelihood of the organization is intricately linked to how well the IT function manages the availability, integrity, and confidence of the information and systems used to operate core business procedures.

In an effort to correlate business results to the level of implementation of IT GRC within organizations, the IT Policy Compliance Group performed a study of more than 2,600 companies and published the findings in its 2008 annual research report titled “IT Governance, Risk and Compliance – Improving business results and mitigating financial risk.”

The most important finding cited in this report is that “organizations with best business results are the same firms with the most mature [IT GRC] practices and the organizations with the worst business results are the same firms with the least mature [IT GRC] practices.” The key takeaway from the report is this: “The way to improve business results and reduce financial risk, loss and expense is to increase or enhance the competencies, practices and capabilities governing the use and disposition of IT resources.” In other words, you’d better practice good IT GRC if you want to have a successful company.

The report points to impressive statistics that show that improvements to data protection and compliance are paying big dividends among firms with the most mature IT GRC management practices. For example, the organizations in the study with the most mature practices also have:
• Consistently higher revenues (17% higher than the other firms in the study).
• Much higher profits (14% higher).
• Better customer retention rates (18% higher).
• Dramatically lower financial risks and losses from the loss or theft of customer data (96% lower).
• Much lower spending on regulatory audit (50% lower).

Linda Musthaler is a principal analyst with Essential Solutions Corporation.