Compliance Spending May Be Unpopular, But Offers Benefits Besides Security

Security and compliance spending is often viewed as a necessary evil by CFOs, whose endless quest for cost-cutting opportunities is the bane of every CIO. Even the threat of an expanded risk profile is sometimes not enough to loosen the purse strings.

But what if some spending now could not only result in better security and compliance, but ultimately higher profits, lower expenses, and improved customer satisfaction and retention? That would paste a smile on the face of the most frugal of CFOs, not to mention making him or her look like a hero to the Big Boss.

According to a report from the IT Policy Compliance Group (IT PCG), those are the results to expect from moving up the IT governance, risk and compliance (IT GRC) maturity scale.

The five-category maturity scale (or six, if you count Level 0, non-existent procedures and processes) runs the gamut from basic ad-hoc processes through the completely optimized, money-saving top level, and maps to the standard capability maturity model (CMM).

Presented at the 2008 Symantec Vision conference in Las Vegas (Symantec offers a compliance process automation suite that assists in moving up the maturity scale), the report discusses findings from several waves of benchmarking surveys conducted over the past two years; the most recent looked at results from 558 organizations over the period of December 2007 to March 2008.

It tells us that companies at the top of the maturity scale enjoy 17 percent higher revenues, 14 percent higher profits, 17 percent higher customer retention levels and spend 50 percent less annually on regulatory compliance than organizations at the bottom of the scale. Their financial risk from customer data loss or theft is a mere 0.4 percent of revenue, while those at the bottom of the scale face the risk of a revenue hit of 9.6 percent.

The elite, most mature group chronicled in the report was a mere 12 percent of the sample, while 20 percent were at the bottom of the heap, and the remaining 68 percent occupied the middle three maturity categories.

No one industry leads in the maturity derby. In fact, according to report author Jim Hurley, managing director of IT PCG, some results were counter-intuitive. You would expect, for example, that highly-regulated industries would rank higher in process maturity than the less regulated. That’s not always true. Nor do large corporations necessarily fare better than smaller organizations. “The secret sauce was procedures and practices,” he says.

Process frameworks such as the ITIL, CIS benchmarks, SDLC, Cobit and ISO 17799 and 27000, and tools like the Balanced Scorecard and Six Sigma were key to achieving superior results. But, Hurley cautioned, companies doing well took the frameworks as a starting point and adapted them to their businesses rather than trying to shoehorn the business processes into an existing framework.

In fact, the report points out that the most mature firms choose components from a tightly-focused group of frameworks from which to construct their own frameworks. And, unlike less-mature companies, the frameworks are evenly split between those for IT operations, assurance, audit, compliance and external vendors, and those used by senior IT managers to manage the value delivered by IT. Companies lower on the scale tend to concentrate on the operational frameworks.

The most mature companies also altered some business practices, such as:

• Greater senior management involvement in GRC
• Involving the audit committee in GRC
• IT, Legal, audit and Finance all providing leadership
• Employee training in GRC, and fostering a culture of compliance
• Making improvements to IT risk assessments, data protection, IT audit, risk and compliance practices and capabilities
• Adjusting to IT spending to support necessary capabilities
• Implementing a continuous quality improvement program for IT GRC
• Developing an integrated IT GRC program

But that’s not all. Mature organizations also adjusted IT procedures and practices to make them consistent and repeatable. Ten key practices included:

• Access to sensitive data and protected data on PCs and laptops is segmented and limited.
• Meaningful and measurable control objectives and policies based on business risk are employed.
• IT policies, process frameworks and control objectives (KPIs, for example) are mapped to one another.
• Common IT procedures are employed for audit.
• Three times more controls are employed than objectives.
• Consistent configurations and common IT procedures are employed.
• Automation is widely employed.
• 50 percent of all controls are technical controls, and 100 percent of these are automated.
• Specific IT activities, such as collection of audit-related data, are automated.
• Policy-in and audit-out for technical controls is managed.
• IT change control and unauthorized change prevention are implemented.
• Monitoring, measurement and reporting occur frequently; from continuously to at least once a month (the average was 22 times a year).

Getting to that coveted state of maturity, with its attendant benefits, does involve some work, and companies lower on the scale are best advised to take the changes in bite-sized pieces to increase the likelihood of success. The report recommended a procedure for incrementally improving IT GRC practices that will probably be familiar to many:

• Assess the current maturity state of the organization
• Determine the business and financial outcomes from the current maturity profile
• Identify desired maturity, agility, quality, financial and compliance objectives
• Identify the practices and capabilities needed to achieve desired objectives
• Qualify and quantify expected costs, savings and financial risks
• Implement the quality improvements to achieve objectives
• Measure the results and repeat the steps.

In other words, follow the processes outlined in the Deming and Six Sigma continuous quality improvement cycles.

So, you ask, how do you figure out where you sit on the maturity scale? IT PCG offers a useful tool: an interactive application that allows you to answer some questions and, based on those answers, see your score. A little judicious fiddling can then help you determine the potential effect on your maturity level of various adjustments to policies and procedures, and find the ones that offer the biggest bang for the buck.

Once you know where you are, you can formulate plans to get to the magical point on the maturity scale where the CFO actually smiles.