Intreis Myth Busters are on a roll! We just wrapped up ‘Compliance Myth #3 – “Compliance applies mostly to larger companies”’ and are moving on to our fourth myth. Let us tell you what is wrong with the statement: “IT GRC is a necessary evil”.
One of the biggest misconceptions about IT Governance, Risk, and Compliance (GRC), is the attitude that – “The GRC function is a necessary evil.” It seems benign at first blush, but this reluctant acceptance of GRC tells me some very important things about the effectiveness of a GRC program.
This company…
- …is missing out on a huge opportunity to improve IT operations because they don’t understand how GRC can be used to improve IT performance and reduce costs.
- …has not learned to leverage GRC to gain valuable risk and business insight
- …is likely not investing in GRC to drive actual improvements and efficacies within Audit.
- …has a corporate “culture” that says, “Spend as little time as possible on IT GRC,” which ironically results in spending way more time than you would if you were operating thoughtfully and strategically.
- …has a poorly thought out GRC program. This will be especially apparent in global organization where you will often see loosely connected auditors (if they’re connected at all), with no formal organizational structure, no aggregated data, and no consolidated risk reporting.
- …has a lack of perceived value in GRC, which results in a lack of cooperation between Senior Management, IT Audit, and IT operations.
It’s time to stop reluctantly accepting GRC, and show GRC who is boss. Expect more. Demand results. Use it to do your bidding. GRC should be run like any other part of the business; with strategy, planning, investment, visibility, and metrics. Governance, Risk, and Compliance is a powerful tool that you can pick up and wield to grow a profitable, scalable, and agile business. It is the companies who understand this who will ultimately rise above their competition.
Have a Compliance Myth that drives you up the wall? Tweet it to us or email us at . Next time we’re going to discuss whether or not The ‘right’ policies and procedures can make you compliant.
