Has IoT increased demand for GRC?

MUMBAI, INDIA: Cyberattacks are originating from connected devices or Internet of Things (IoT), leading to increased demand for governance, risk and compliance (GRC) solutions.

Internet security firm Proofpoint, last year discovered a global cyber attack launched from more than 100,000 consumer gadgets like routers, television sets and a smart refrigerator. Proofpoint said that the attack targeted more than 75,000 emails from more than 100,000 appliances commandeered by Thingbots or robotic programs that can be remotely installed on digital devices.

With IDC predicting more than 30 billion connected devices in the world by 2020, digital businesses are a recent trend that need GRC, asserts French Caldwell, Chief Evangelist, MetricStream.

GRC is a platform that orchestrates between role-based applications that can communicate with each other.

According to Caldwell, GRC is becoming a larger part of the business revenue because the present challenges are associated with internal fraud in digital business, and there is a need to monitor personal activity.

Another key risk, he says is the easy availability of a user’s location on apps and the tremendous amount of data being collected which is a significant risk to privacy.

What else is driving GRC?

Risk: Two main business risk concerns of CEOs and CFOs according to most surveys are:

·        IT risk or cyber risk

·        Regulatory uncertainty- not knowing what rules and regulations to comply with and to what extent

With new regulations in place enterprises first want to see whether regulators enforce them and to what level. Once that is sorted, they will look at software to help them comply.

For instance, companies realized the importance of GRC in 2002 with Sarbanes-Oxley and started implementing it by 2003 and 2004. Other countries too started implementing regulations like Clause 49 in India, JSOX in Japan, European Union Public law 8.

It became imperative to find a common system to document reports and controls from all quarters of the company to correlate at a later stage with minimal errors.

The primary use cases for compliance in an enterprise are:

Enterprise risk management

Operational risk management

Audit management

IT risk management

SOX

Vendor risk management

Enterprises, therefore started looking at GRC, not as software took, but a program, providing coordination between all the risks and compliance procedures within a company.

Lack of automation: Caldwell informs that of the total software license sales, new license revenue for the market was $3 billion last year. But the total addressable opportunity is more because many companies have still not automated the processes. All estimates about what the market is ranging from $30 B – $ 100 B are optimistic if looked at only from risk and compliance standpoint.

But if you look at it from a business performance standpoint, it is huge and opens the possibility of being compared to the ERP market.

It is now the duty of the GRC professionals to focus on getting people out of the spread sheet chaos.

Why is GRC important?

Caldwell enumerates the benefits.

GRC automatically collates information and creates a common system of record and come up with a common set of controls and policies across multiple organizations.

It helps to understand different jurisdictions and map a common policy to the law with only a few exceptions pertaining to the respective country. It helps in the reduction of controls and cost of compliance which is a significant business benefit.

A Gartner survey says that about a third of GRC users are linking risk to performance. GRC helps in strategic planning and decision making- mapping daily operational performance and the risk involved in these activities.

Process oriented mapping of KRIs to KPIs can drive improved business performance.

The influencers:

The main buyers who demand an investment in a GRC tool are individual groups within the organization who put in demands for an application for a specific tool to help them; eg, procurement wants vendor risk management, or audit wants audit management.  However, that group is also influenced by other groups who are looking for a GRC application.