In My Humble Opinion

All companies know they should abstain from bad business practices, protect their business assets, minimize their risk and make as much money as they can. Most businesses that have a penchant for losing money and a knack for failing to meet their company goals know they should make certain changes to their business plans to improve their bottom line. Yet, I believe far fewer actually do so. So how can CIOs motivate and educate their colleagues to follow through in choosing the behaviors and techniques that help build and promote healthy companies? Let’s take a look at three elements that have a huge impact on the safety, health, profitability and longevity of every company.

Doing the right things. It is important for IT organizations to have a consistent set of processes, customs, policies, laws and organizational structures that encourage employees and officers of the company to do the right things. CIOs can ensure the investment in IT generates business value and mitigates the risks that are associated with IT by using proven frameworks and best practices associated with IT governance. Frameworks like COBIT and ISO 38500 can guide CIOs through the PDCA cycle to promote good governance and continuous improvement within their IT environment.

Identifying and managing risks. Effectively managing risk provides the foundation for a good security program. All security-related government regulations, industry regulations, privacy requirements, frameworks and best practices identify risk management as a critical need for every organization. CIOs can balance the operational and economic costs of protective measures and the gains achieved in meeting business goals by adopting a meaningful risk management methodology. A meaningful risk methodology is one that provides accurate information, aligns to the business and its critical processes, can be used throughout the organization and is used and understood by key stakeholders to make business decisions.

Complying with voluntary and mandatory requirements. Government and industry are beginning to crack down on organizations that have weak or non-existent compliance procedures. More legislation at the federal and state levels is being considered to force companies to comply with industry best practices. In essence, compliance is directly related to corporate integrity and good governance practices. If a company practices what it preaches and follows the rules which govern its business, then doing the right things and managing its risk become standard operating procedures. CIOs should design and implement an IT strategy that promotes and satisfies compliance, ethics, accountability, cultural, financial, business and legal obligations.

Taking an integrated approach to governance, risk and compliance (GRC) will help to ensure that CIOs meet their responsibilities for doing the right things, managing risks and complying with voluntary and mandatory requirements. There are a number of frameworks, organizations, technologies and best practices that CIOs can use to design and implement their GRC strategies. It is no longer wise or acceptable to say GRC is not part of our jobs.