Informatica Enterprise Data Management

We all know how mandates such as Sarbanes-Oxley place a burden on many businesses, by requiring that they be able to document the reliability and quality of data. Most major mandates, which have now been in place for several years, have given rise to a whole industry dedicated to reporting. In many companies, the equivalents of small departments have been kept busy 52 weeks a year doing little more than generating reports and reviewing data to meet compliance requirements.

Obviously, things can't go on like this. Rather than spending money to just keep simply meeting requirements, many companies are seeking to better integrate compliance into their day-to-day operations in a more automated, systematic form. In doing so, they seek to go far beyond meeting the letter of the law, to take the opportunity to improve and streamline their own processes - which will pay off in battling the challenges of an increasingly competitive marketplace.

By eliminating the silos that have separated data across the enterprise, as well as the silos that have pigeonholed the compliance efforts intended to gather and report this information, organizations can make impressive strides in moving forward with greater agility. In the process, automation can reduce the burden of paperwork and manual processes that drive up the costs of compliance.

Such "sustainable" compliance management can be built on top of three disciplines that already exist within most businesses today. These include governance, or the oversight of corporate activities and processes; risk management, or the identification, assessment and monitoring of risks and controls; and compliance management.  This integrated approach - known as Governance, Risk, and Compliance Management, or GRC, takes its three namesake disciplines and takes a more holistic approach to increasing information visibility and management.

Most importantly, GRC brings together teams of people that normally would not be working with each other. The distinct categories of governance, risk management and compliance were often run by separate groups of specialists. Companies increasingly recognize that there needs to be a single focus –that finance, IT, security and operations teams need to be engaged in a common purpose of bringing greater flexibility and transparency to the way data is managed and dispersed throughout the enterprise.

Because the ultimate goal of GRC is to deliver higher-quality information, there's an important role for IT and data managers within the process. In fact, while many early GRC initiatives were led by auditing and finance departments, IT and data management are increasingly taking on a leadership role. Forward-looking companies are encouraging greater interaction between their IT and finance departments to devise strategies and automate and streamline the compliance reporting process. In fact, the governance aspect comes into play as managers from various functions need to be brought together to address compliance management.

As Lee Dittmar, a principal with Deloitte Consulting LLP, and a thought leader in GRC, observed: "As leaders strive to meet the raised bar on corporate governance, to achieve better risk mitigation and to meet increasingly complex compliance challenges, a common element is recognized as being critical: high-quality information. They need the right information, at the right time, at the right place, and in the right form. They need relevant, timely, accurate, transparent, and reliable information."

This requirement for higher-quality information "puts intense focus on IT's role as a key enabler for improving GRC connectivity - helping uncover its collective synergies and boosting support of stronger, more efficient businesses," Dittmar adds. "Yet CIOs and IT managers find themselves still wrestling with organizational fragmentation and resistance issues, such as ongoing complexity in the corporate silos and continuing manual processes. It's difficult to create a more ideal environment, in which decentralized units are bridged and systems and controls exist on a common platform when they're not free to fully explore all of the possible interrelationships and common dependencies inherent in GRC."

In fact, Dittmar relates, eight out of ten decision makers in a Deloitte survey still had misgivings about their ability to better leverage their companies' financial information in forward-looking planning a strategy. "This analytical ability to gain insight from experience is needed to drive better modeling, planning, and forecasting," he said.

Last year, as part of my work with Unisphere Research, I conducted a study of members of the Oracle Applications User Group (OAUG) to assess the depth of IT and data managers' roles within the emerging GRC process. The survey found plenty of awareness of GRC as a unified concept - four out of ten respondents were aware of GRC. At least 40 percent had some adoption of GRC principles taking place within their enterprises, a figure that rose to 60 percent among the largest companies.

Not surprisingly, time, paperwork, and money were seen as the greatest obstacles to GRC initiatives among the companies studied. Half of the respondents still relied on manual tools and procedures to meet GRC objectives. The main applications of choice to handle GRC processes included word processing documents and spreadsheets. Even though most respondents to the survey were fairly enlightened about GRC, they reported that it had yet to be embedded with ongoing business processes - and was still treated as a one-off activity.

AMR Research estimates that the entire GRC market will total about $32 billion this year, up more than seven percent over 2007 levels. John Hagerty, AMR analyst, reports that most of this spending is going to labor and implementation costs, versus software and systems.

Thus, it's no surprise that for most respondents, time - or lack thereof - is the main burden placed upon them in supporting compliance activities. Staff, for example, must be allocated to address ongoing compliance reporting. The OAUG study, in fact, found that most large companies assigned anywhere between four to five full-time employees to manage their compliance processes. Another 29 percent said GRC processes impose additional cost burdens on their organizations - including increased costs for labor, contractors, and overtime pay to handle all the additional reporting and interfacing between business units.

Approaching GRC with manual tools and processes, of course, doesn't promote long-term sustainable compliance, or business value. Instead, the result is duplication of effort and ineffective risk management. Instead of automating repeatable processes, organizations end up constantly rebuilding and throwing money at the same reports over and over again. Every quarter when compliance reports are due, new efforts need to be geared up. An integrated and automated approach to GRC turns to technology to make the process more transparent and seamless.

As Dittmar reported, GRC brings to light the need to be able to transform overwhelming amounts of data coming in from all corners of the enterprise into "information that serves as a strategic asset of the business."