Written by GRC Practice Director, Alex Hollis
Different regulatory assessments require you to tick different controls off a list and demonstrate your compliance. And depending on those requirements, the assessment will be performed and completed in different departments within your organization.
The trouble is that often there is overlap in what’s being asked of you. For example, the requirements of ISO27001 (A7.1.1) and PCI (requirement 12) will both ask you to perform the same background checks on your staff. But if these assessments are completed by different functional heads, you won’t necessarily know that the checks have been performed, which leads to duplicated effort (and an annoyed HR department, whose workload is being added to unnecessarily). According to experts, duplication rates of up to 30% are not uncommon for companies without data quality initiatives in place.
The problem only intensifies for organizations with strict backup policies, which store greater volumes of data. Here the figure is estimated to be as high as 80% of all corporate data being duplicated.
Helping over 450 organizations with their Governance, Risk, and Compliance (GRC) requirements, we’ve seen our fair share of unnecessary complexity. Organizations evolve organically, and people satisfy what’s being asked of them in the best way they know how. But it’s rare that anyone ever stops to look at their business in its entirety, considering the interdependencies and areas where efficiency gains could be made.
With Governance, Risk and Compliance, you have to take that step back to consider the control frameworks you need to define. If you look down on your whole business, suddenly you have that oversight to say that control 1 (e.g., staff background checks), satisfies the regulatory requirements within A, B and C (e.g. ISO27001, PCI, and GDPR). With that oversight, now you know how to streamline your operations and boost your efficiency.
Most organizations try to ensure their compliance with technology; they need to be ISO compliant so, they use system A; they need to be PCI compliant, so they use system B; now they need to be GDPR compliant, so they use system C.
But now you have three separate systems that essentially do the same thing – they each solve a different flavor of the same compliance problem. And purchasing three separate systems, with the associated implementation, training and maintenance, you’ve duplicated (and therefore wasted) time, effort, resource, and money.
As your organization evolved organically over time, each business function looked at the risks in isolation. It caused you to constantly add new controls to mitigate each risk. But what you couldn’t see was that many of these controls were unnecessary, costly, and ultimately tied your business down. Without this oversight, your personnel are constantly asking for the same information, which disrupts ‘business-as-usual’ activity, generates friction within your organization and slows it down.
In addition, operating with this blinkered approach to mitigate every risk and ticking it off the list, means you’ve lost sight of the bigger picture – do you even need the control in the first place? Every organization and different departments within each organization possess a different risk appetite. Therefore, with every control, you need to assess and decide whether the level of risk that’s being mitigated is sufficient to warrant the investment in that control.
To avoid this costly duplication, you need to be prepared to stop and take stock of the situation. You need to look down on everything that’s required of your organization and commit to a framework that satisfies all the requirements – and sometimes make the tough/unpopular calls not to implement certain controls.