« A Private Cloud For Higher Education | Main | Community Tools For The New Data Scientist »

February 01, 2011

Investing In Risk Management As A Core Competency

One view of an IT function is breathtakingly simple: give people the capabilities they need to run the organization effectively.

Whether that capability is order processing, collaboration, business intelligence, logistics management, et. al. -- the primary job of IT is to deliver thsoe information-based service in an efficient, effective and flexible fashion.

Is getting better at understanding and managing different forms of risk important for people across the business?  

It's hard to argue otherwise.  One could make the strong case that the more risk-based information you can intelligently expose to leaders and managers, the better their decisions regarding risks will be.

And -- in a nutshell -- this is the rationale behind EMC's eGRC strategy announcement today.

Thinking About Risk Management As A Core Competency

It's easy to pigeonhole the risk management discussion in overly simplistic terms.  But even a quick synposis shows a very expanded landscape.

First, the potential sources of relevant risk can come from across the spectrum: from geopolitical and macroeconomic to more prosaic technical and HR-related sources.  We're not just talking specific IT-related risks here.  Indeed, new forms of risk routinely come to the table, which -- ideally -- would be managed in a consistent manner.

Second, the consumers of this risk management information are frequently scattered across the enitre organization: finance, legal, operations, IT and more.  Put differently, it's rarely the case that just one small group cares about managing risks.  It's best thought of as an organizational capability, like collaboration or business analytics.

Third, there's a strong desire for an integrated "dashboard" view -- if my role in the organization requires me to manage risks intelligently, give me that big-picture-plus-drill-down I need to get my job done.  

Please do not make me pore through dozens of different reports, spreadsheets, emails, phone calls, update meetings, concalls, webexes, etc. to get my job done.

Fourth, there's workflow to consider: any effective risk identification and mitigation activites usually involve a strong aspect of collaborative workflows between different functions, e.g. a business unit, HR and perhaps legal.  Or finance and IT.

Here's the point -- EMC believes that many organizations will benefit from delivering an interal eGRC (enterprise governance risk and compliance) capability as-a-service across progressively more and more business functions.  It seems inevitable.

We think that delivering this enterprise eGRC capability will be one of the newer attractive  areas where IT can create exceptional new value for the organization.  

CIOs and other IT leaders looking to make an significant impact: please take note.  If you think about -- who doesn't want to get better at identifying and managing risks?  And who wouldn't want a useful capability from IT to do just that?

That's the motivation behind today's announcement: share our strategy and vision, and deliver a positive progress report against that vision.

The EMC Perspective -- At A Glance

I"m a bit reluctant to share this slide, simply because most people with an IT background will look at these terms and instantiate them in specific IT terms.  Please resist that temptation -- the concepts are broader than just IT stuff.

EMC eGRC slide 1 For example, take "Security Management".  Yes, there's all the usual IT disciplines in there, but also things like physical security, employee security and more.  Think broadly, and you'll have a more accurate picture of exactly what we're targeting here.

The same discussion ensues for "Business Continuity" -- we're not just talking about recovering IT capabilities, we're talking about any risk than can impact ongoing business operations: weather, political unrest, and more.

Going farther, the concept of "Information Governance" expands beyond simple archiving and retention policies -- for example, right now, is someone trashing your brand on Twitter?
Yes, we're using IT to identify and manage risks -- but not all risks are IT risks in this expanded world.

The real magic comes from integrating these disciplines around a tangible business solutions: one that's either very role-specific, industry-specific -- or, more frequently -- an interesting combination of both.

Before, During And After The Fact

EMC eGRC slide 2 In an ideal world, the primary rationale would be to prevent situations where significant risks are either unrecognized, or not acted upon properly.  But there's more to the motivation than simply an early warning system.

You may have noticed that an increasing amount of organizational effort is being spent on audit-related activities.  Audits now touch just about every part of every organization.  

Their depth, complexity and frequency seem to be increasing over time.

Doesn't it make sense to invest in a capability to minimize the organizational impact of an audit, and maximize the results?  That's another goal of eGRC as well.

Finally, there's the after-the-fact discussion.  If there's a big problem, it's likely that there will be formal investigations into root cause and -- ultimately -- blame and accountability.  Having a reasonable eGRC framework (and associated processes) in place strengthens the inevitable defense that all reasonable steps had been taken ahead of the issue.

Yes, The Cloud Enters This Discussion

Many IT-intensive businesses are seriously considering variations of cloud-like models: whether they use internal resources, external resources or a hybrid combination of the two.

Risk identification and management quickly becomes the #1 topic in this world -- it's not just security, it's service level management, compliance and a bunch of related concerns that spell R-I-S-K to many folks.

We've got early anecdotal evidence that having a good eGRC capability in place can accelerate IT transformation by placing these cloudy risks in the exact same framework as every other form of risk that business leaders have to understand and manage.

Knowledge is power.

Archer -- A Platform For eGRC

One quickly realizes that no single set of point-products will adequately address this challenge -- a platform approach is preferred.

EMC eGRC slide 3 The nucleus of the EMC eGRC platform is Archer -- easily one of the de-facto standards in eGRC today.  

At a high level, it's about making connections across multiple technology and functionality domains to present a single, comprehensive and actionable view.

Already, there's strong integration across the broader EMC RSA portfolio (think enVision SEIM for an example) as well as popular third-party products (Approva as a recent example).  

Much in the way many organizations have pursued an integrated platform strategy for, say, ERP and CRM, one could make the case that eGRC will require a similar approach.  

EMC eGRC slide 4 But the real power of a platfom also lies in the ability to bring people together as well.  A compelling aspect of the Archer approach lies in its broad and vibrant community of GRC practioners who contribute greatly to both the product as well as sharing their expertise with others.

The Road Ahead

As part of my role here at EMC, I'm always fascinated by IT evolution: how the IT function is transforming rapidly to create entirely new forms of value for the organizations they serve.

Yes, the technology is certainly fascinating.  

But it's what people do with all that technology that really gets me fired up.

My personal "hot button" list for IT value creation already has a few notable pillars.  

Using cloud concepts to transform IT into a service provider model.  Adopting next gen development frameworks to re-construct our application portfolios around modern requirements.  Meeting the needs of demanding mobile knowledge workers with new devices and new experiences.  Creating new organizational capabilities around social collaboration, on-demand analytics and other broad-reaching strategic capabilities.

I think I can now make a case to add eGRC to that list.

So, What Do You Think?

Do you already have a strong eGRC capability in your organization?  If you do, is it seen as creating substantial value?

If you don't have this capability yet, can you see the rationale for doing so in your own world?  What would be the forcing function for making the investment?

I'd love to hear from you ...

Posted at 12:10 PM in Being An Informationist, Big Ideas (hopefully ...), EMC Viewpoint, information governance, IT Leadership |

|

Comments

The comments to this entry are closed.

Chuck Hollis


  • Chuck Hollis
    SVP, Oracle Converged Infrastructure Systems
    @chuckhollis

    Chuck now works for Oracle, and is now deeply embroiled in IT infrastructure.

    Previously, he was with VMware for 2 years, and EMC for 18 years before that, most of them great.

    He enjoys speaking to customer and industry audiences about a variety of technology topics, and -- of course -- enjoys blogging.

    Chuck lives in Vero Beach, FL with his wife and four dogs when he's not traveling. In his spare time, Chuck is working on his second career as an aging rock musician.

    Warning: do not ever buy him a drink when there is a piano nearby.

    Note: these are my personal views, and aren't reviewed or approved by my employer.
Enter your Email:
Preview | Powered by FeedBlitz

Search

Useful Pages

Recent Comments

Categories

Archives

More...

Subscribe to this blog's feed

General Housekeeping

  • Frequency of Updates
    I try and write something new 1-2 times per week; less if I'm travelling, more if I'm in the office. Hopefully you'll find the frequency about right!
  • Comments and Feedback
    All courteous comments welcome. TypePad occasionally puts comments into the spam folder, but I'll fish them out. Thanks!