Second-Generation GRC Solutions Can Help Drive IT Efficicency

Hard to believe it's been 10 years since the days when IT controlled its own destiny (and budget), isn't it?  Those who were around back then no doubt think of that era fondly. It was a time when CIOs held a place at the executive table and the rest of the business looked to IT to provide them with their next strategic advantage - hang the cost! Those who have come along since then can only imagine what it's like to have virtually unlimited resources at their disposal and the ability to bring in a new application without first having to write an extensive business case justifying the need for it.

Today it's all about optimizing the business. IT is being charged with finding ways to simplify and automate business processes, making them both more reliable and less expensive to operate. It's a never-ending process, and as time goes on, the demands get greater. Yet while IT has largely been successful to date in helping other parts of the organization save time, money and effort, the same cannot be said for itself.

 In other words, while IT has been busy driving business value by eliminating repetitive, manual tasks from the rest of the enterprise, it has allowed its own house to continue to be plagued with them.   

Much of IT's time these days isn't being spent on searching out new innovations or making recommendations on business process improvements. Instead, depending on who you talk to, anywhere from 70% to 90% of IT's time is currently devoted to keeping the business running.

It's no wonder that IT and the people who run it are no longer viewed as change agents by C-level executives. After all, it's tough to focus on steering the ship when most of your time is spent plugging leaks and bailing water. Even tougher when the number of resources available have been reduced to the bare minimum required to keep the ship afloat. With little time to spend on innovation, IT can actually become an obstacle to it in the eyes of business leaders.

To get out from under that situation, what IT needs now is to bring the same type of task automation it has installed throughout the rest of the enterprise into its own area. But how can that happen when funding is already being stretched so thin?

The answer lies in an unlikely place - the enterprise's governance, risk and compliance (GRC) efforts. Whether it is being mandated by law (as with public companies) or being demanded by management (as with private companies that want to protect themselves from financial and legal harm), GRC has become a high priority in many small, medium and large enterprises.

The reason the GRC effort seems an unlikely place to drive efficiency is that traditionally it has been a major contributor to the raft of manual tasks IT is asked to perform. Tracking accountability and segregation of duties (SOD), reporting on the results, and preparing for audits normally require a great deal of manual effort. While there have been products available since the introduction of Sarbanes-Oxley (SOX) that could automate pieces of this process, they were too cumbersome and expensive to be of much use to most enterprises. And getting them approved by the C-suite took an effort just short of an act of congress.

Today, however, the introduction of second-generation GRC software solutions is changing this situation. Their ease of use and low cost of entry are making it possible for IT to start automating repetitive tasks (such as transports, user security provisioning and batch management). They are also changing the way actions are tracked, to the point where the act of performing a particular task automatically creates the record that it has been performed rather than having to log it separately.

While this is good for confirming SOD, and to show that the enterprise is complying with the law and/or best practices, it is also having another effect: helping IT to do more with less, thereby making more time available for higher-value contributions to the enterprise.

Freed from the burden of unending maintenance, IT can actually take the time to sit down with business leaders (or business unit leaders) and ask them about their needs, their goals, where they want to take the business. IT will also have the time to research various technologies and bring back recommendations that are aligned with those business goals. IT will even be able to make those recommendations without fearing that it can't deliver the benefits when the business wants them, because the time and resources that used to be spent just keeping things running will now be available for more strategic initiatives.

With a reduced maintenance burden, CIOs and other IT leaders will have more time to take a step back in order to look for ways to improve the business rather than constantly being stuck down in the weeds. The auditing and controls required for GRC are just as effective for identifying bottlenecks in data flow and areas where improvements in business processes can be made. Armed with this information, IT can show management new strategies that will make the business more competitive by lowering costs, eliminating barriers to success, and reducing mistakes.

In short, IT will be able to look at the business from another point of view and provide a unique perspective that may be missing from the current executive mix. Rather than being viewed as a cost center, IT will once again be seen as a vital contributor toward the success of the business.

None of this happens, of course, until IT follows its own advice about efficiency through automation. That's where the banner of GRC can help.

Presenting second-generation GRC software as a means to improve compliance can help sell it in. IT can then take advantage of its capabilities to reduce maintenance requirements and start earning a place at the table again - but this time by replacing vague promises with tangible, added value to the business. When that happens, everybody wins.