The case for GRC tools, Part 1: assessing manual GRC risks and costs

The risks of manual GRC assessments

Manually performing governance, risk management and compliance (GRC) activities is both riskier and more onerous than using a GRC automation tool. In this three part series, we will explore the dangers of manual GRC, determine how to evaluate GRC solutions and cover implementing GRC automation and proving its ROI.

Assessing your current landscape is the first step in understanding how your business could improve its GRC procedures. By examining the current risks and costs of your manual efforts, you can build a case for adopting the right automated solution to make huge efficiency and productivity gains.

Quantifying the business problem

Tedious and manual IT security administration processes and compliance reporting can affect the enterprise in multiple areas:

Slow user provisioning and compliance reporting processes

IT help desk organizations receive user change and delete requests in a never-ending stream.

Manually addressing them eats up time, as IT staff spends many hours of non-value-add time processing the requests. Additional time gets sunk into tracking down requests that get lost, misrouted or delayed – eroding trust in IT and impeding their productivity.

And it’s not just IT’s time that’s impacted. At many companies, it can take a week or more to turn around a new employee add request. Consider the business cost of delaying new employees’ contributions due to slow, manual provisioning. What would the benefit be if a new employee could be provisioned in hours, not days?

Manual compliance reporting is yet another demand on IT’s time. It’s often dubbed ‘death by screen shot’, with many enterprises reporting hundreds of IT staff hours spent compiling periodic reports. These cumbersome reporting processes slow IT’s turnaround time for servicing auditor requests and actually beget more work. Because manual reports tend to be deemed less reliable than automated reporting, auditors often dig deeper and drive more expansive reporting requirements.

High priced IT staff performing low value work

It’s said that seasoned IT professionals are worth their weight in gold. They pride themselves on driving important initiatives to go-live for the benefit of the enterprise. Unfortunately, with lean staffing, the percentage of time spent on operational tasks versus value-add initiatives has tipped too far toward operations. Complex, manual operations for user and role provisioning take time, and chasing down errors takes even more.

The result is enterprises spending far too much money on routine IT operations by paying high priced staff to do low value work. There is a human cost, as well. IT professionals don’t feel gratified performing routine, low-value work. This becomes a morale killer – with turnover increasing and productivity suffering.

Increasing GRC risk of adverse findings

IT processes tend to expand over time. With each new compliance and reporting requirement, new applications and integrations get rolled out Straightforward processes like user provisioning can become a labyrinth of manual tasks, with numerous and cumbersome hand-offs. Not only does inefficiency and cycle time increase, but so does overall GRC risk.

Today, thinly staffed IT organizations often heroically struggle to keep up with the constant stream of provisioning requests and increasing compliance requirements. With so much time and focus spent on simply keeping up, the chances of genuine risk becoming a problem to the enterprise also increase. Good auditors can find, and rightly report, adverse findings related to those areas of increasing risk.

The costs in terms of loss of shareholder confidence and goodwill become board-level concerns quickly. The finding of a significant deficiency cannot be ignored and can drive expensive, reactionary remediation.

Opportunity cost

Time and effort involved in manual compliance is rising, as every year, IT audits are getting broader and digging deeper.

The less obvious, more insidious cost of increasing compliance reporting is less time being spent on IT initiatives and more on non-value-add operations. The costs include slower time-to-value for IT business initiatives and less agility to respond to new opportunities.

There’s a significant risk to enterprises in which IT organizations have lost their critical capacity to support innovation. Some IT organizations report that 80-90% of their time is spent simply keeping the lights on, performing routine operational work. Investing in GRC automation can change the balance toward freeing up talented staff to propel the enterprise.

The tipping point – when to perform a GRC risk assessment

Enterprises live with business problems all the time. Most are relatively easy to surpass, often with the day-to-day heroics of dedicated staff.

A tipping point occurs when two things happen:

1. The impact of a business problem increases to the point where it becomes a significant risk or impediment to achieving business objectives.
2. An individual decides ‘enough is enough’ and drives a project in the organization to resolve the business problem.

Recapping pain points and opportunities

The costs of living with cumbersome, manual IT user provisioning and compliance reporting can be measured and quantified. Assess the money and time your enterprise is losing, as you answer the following questions:

• How much does it cost for every hour an employee waits for IT user and role provisioning?
• What percentage of high-value IT staff’s time is spent performing routine provisioning?
• How many hours of high-value IT staff’s time are spent on compliance reporting? Are the hours increasing?
• Are you 'flying blind' in terms of IT risk? How comfortable are you really with IT security?
• Do you have a backlog in IT for supporting new enterprise initiatives? Is the backlog increasing?

Having a solution like ControlPanelGRC for maintaining ongoing compliance can help your business focus on what’s truly important. Not only do GRC automation solutions save money, but they support multiple enterprise objectives:

• Faster IT user and role provisioning means new and changing employees can make an impact sooner.
• Automation of routine IT user and role provisioning means high value IT staff are spending less time on operational tasks, allowing more time for innovation.
• Great compliance automation solutions not only increase operational effectiveness but also ease compliance reporting.
• Increases in audit scrutiny can be offset by automation, breaking the cycle of increasing audit workload with fewer resources.
• Basic IT risks (e.g., segregation of duties violations, termination of user IDs) can be mitigated via automation with a full audit trail.
• The tangible reduction in routine IT operational workload means limited IT staff can better service the changing needs of the business, increasing enterprise agility.

Once you've assessed the unnecessary risks and extra costs that manual processes demand, the next big step is to compare various GRC automation solutions that best fit your business environment and needs. In part two of this series, we’ll explore how to identify, evaluate and build the business case for an automated GRC tool.

If you’d like to learn if ControlPanelGRC is right for you, request a free risk assessment today.