Intreis COO Sheds Light On IT Risk & Compliance

Intreis COO Sheds Light On IT Risk & Compliance

Every day, more organizations are realizing the significance that IT Risk & Compliance has in the success of their business, especially if they function within a highly regulated industry.

In an interview conducted with Morgan Hunter, COO and Co-Founder of Intreis, Morgan discusses what benefits a robust IT Risk & Compliance function adds to a business, the misconceptions that companies have in regards to their IT Risk & Compliance functions, and the future of this space.

Q: How can a robust IT Risk & Compliance function improve a company’s performance?

A: IT Risk & Compliance is in a unique position to bridge the gap between IT and the rest of the business. Having visibility into IT operations, and more specifically the operation of critical business systems, means that IT Risk & Compliance can expose potential business risk well in advance of any potential impact. This visibility in combination with the wealth of untapped IT data, means IT Risk & Compliance is perfectly positioned to provide not only valuable new insights into a company’s overall risk profile, but also critical data which can be leverage for strategic decision making.

Expect more out of IT RISK & COMPLIANCE. Demand results.

Q: What is the link between threats that organizations face in IT and the threats that matter to the business as a whole?

A: Most IT threats have a direct impact on the business. The difficulty that IT organizations have is knowing how to translate IT risks into business risks. Often there may not be a meaningful one-to-one ratio between a single IT risk and a business impact, but identification of key risk indicators, viewed in aggregate, can be an extremely accurate way to determine risk. This is where IT and GRC professionals have a huge opportunity to deliver value to the business.

Q: How can a company successfully integrate IT Risk & Compliance with its overall strategy?

A: By doing it. All sarcasm aside, the biggest step to success is deciding that it needs to be done; acknowledging that IT risk data is an important part of understanding your overall corporate risk profile.

Read: IT RISK & COMPLIANCE to Enterprise GRC – 10 tips toward a Holistic Approach

Q: What are some of the characteristics of a high-functioning IT Risk & Compliance function?

A: The key characteristics of a high-functioning IT Risk & Compliance function in my opinion are:

  1. It is aligned with, and working in conjunction with the corporate GRC/risk department
  2. It invests in the proper IT Risk & Compliance tools so less time is spent on administration and more time can be spent on providing risk insight that is meaningful to the business
  3. It demonstrates a culture of education, cooperation, inclusion
  4. The team is globally integrated, and has a reporting capability that provides visibility into local and global aggregated risks
  5. Tone at the top, both in IT Risk & Compliance and at the corporate GRC level – Strategy corporate insight function is business critical
  6. It possess a strategic planning capability
  7. A legitimate IT risk management program is in place and ties directly to the corporate risk management strategy
  8. It has the ability and expertise to translate IT Risks into Business Risks
  9. It has the skills and discipline to rationalize controls on a regular base, to ensure the controls are aligned to strategic business goals.

Q: What are the biggest challenges that practitioners of IT Risk & Compliance are facing in 2014 and beyond?

A: There are few big ones that come to mind:

Scale: The influx of ever more regulations and frameworks is going to push IT Risk & Compliance and IT operations to their limits. IT Risk & Compliance will be challenged to find ways to scale their capabilities to meet these demands. This will require a complete paradigm shift in the way companies approach IT Risk & Compliance. This shift will require that GRC is deeply integrated into IT operations and that controls are consolidated and rationalized to the fullest extent possible.

Data: Data is going to be vastly important. IT has volumes of data; however in its current state it’s unwieldy to extract business insight. In contrast Marketing, Sales, and Finance organizations have been using large data sets for years to determine the health of the company, and to drive strategy. For these functions using data for decision making is the norm and it’s expected. IT must learn to exploit its wealth of data in the same fashion as other business functions. IT is in a position to provide valuable business insight. The opportunity lies in looking at IT Service Management platforms as the ERM systems for IT. By using those platforms to integrate IT data with business data, the connection between IT risks and business risks becomes readily apparent. To get started on this journey, I’d recommend IT Operations and IT Risk & Compliance need to focus on: Accuracy and completeness of IT data, and convergence of business and financial data with IT data

Management of 3rd Parties: Getting in front of the risks and controls associated Emerging Technologies and 3rd Party Service management. Risk & Compliance will need to be more deeply ingrained in the due diligence and selection of technologies and services so business risks are identified and taken into consideration during the selection process, and not as an afterthought. In addition they will be challenge to manage controls that now reside well outside the traditional corporate IT department.

Q: What do you think a successful IT Risk & Compliance function for Fortune 500 organizations will look like five years from now?

A: Successful IT Risk & Compliance functions will have the following characteristics:

  1. IT organizations will take advantage of Integrating IT Service Management and GRC, improving their ability automate controls, and provide real-time compliance reporting.
  2. IT Risk & Compliance will leverage performance-based controls design to improve operational efficiency and regulatory compliance
  3. There will be a strong emphasis on IT data quality as it will be critical to corporate risk reporting
  4. IT Risk & Compliance will be working with a consolidated set of controls that are rationalized on a regular basis
  5. IT Risk & Compliance will have a place at the table with Corporate GRC
  6. IT Risk & Compliance will be ingrained into the corporate business and risk strategy
  7. IT Risk & Compliance will play a critical role in business and technology planning
  8. There will be a change in the corporate perception of IT Risk & Compliance from “necessary evil” to “business critical”

Do you have an IT Governance, Risk, and Compliance question that you’d like to ask Morgan Hunter? Join the conversation by submitting your thoughts here!

To learn how one company used GRC to take their IT service delivery to another level (and cut costs in the process), read our Case Study: Integrating ITGRC and ITSM.

About the author

“Life is too short to drive boring cars” - morgan hunter

View full profile
Morgan Hunter

Stay informed, wherever you are

Interested in what's happening in Service Management, and Risk & Compliance?
Sign up to receive content curated by Intréis, delivered to your inbox.

Cunjo ID: 111