EMC Corporation : Top Executives Say GRC Programs Must Better Align to Strategic Priorities to Meet Board Needs
07/17/2012| 09:05am US/Eastern
BEDFORD, Mass., July 17, 2012 /PRNewswire/ -- RSA, The Security Division of EMC (NYSE: EMC) released key findings from the RSA Archer GRC Executive Forum it hosted recently, where governance, risk and compliance (GRC) leaders from 34 leading corporations discussed enterprise risk management strategies and best practices. A dominant theme from the forum's executive participants was that corporate boards of directors are taking note of GRC demands and are now looking for greater visibility into the risks that could negatively impact their organizations. Corporate boards are also looking for assurances they're basing risk decisions on trusted information--risk assessments validated by multiple sources within their organizations. To provide corporate directors the visibility and trust assurances they're looking for, forum participants said GRC programs must mature from compartmentalized risk efforts, demarcated by function, geography or business unit, to a unified view that facilitates enterprise-wide risk management and compliance.
RSA released a key findings document from the executive forum. The findings affirm the results of the recently released Carnegie Mellon 2012 CyLab Governance Report, which also found rising interest in GRC among corporate boards of directors, as well as increased pressure to gain enterprise-wide views of organizational risk.
Key findings and recommendations from the RSA Archer GRC Executive Forum include:
-- Risk Management Rises to a Board-level Concern - Mounting regulatory and
other compliance obligations compel corporate leaders to push for
heightened visibility into risks facing their organizations. As a
result, GRC program executives represented at the forum report they're
spending more time reporting to the board on these topics. Further,
corporate directors are concerned about the accuracy and integrity of
GRC information and seek assurance that the organization is making sound
risk management decisions based on trusted, reliable, representative
-- Aligning GRC Goals to Business Priorities Is a Top Priority - Forum
participants observed that business executives view GRC more as a
comprehensive risk management program than a specific discipline.
Successful GRC program owners are adopting the strategic priorities of
their stakeholders, and the associated vocabulary, in describing how
their GRC program efforts reinforce successful risk management in their
enterprises. One participant noted, "Our executive team understands the
issues and challenges when we talk about operational risks, not GRC."
-- GRC Programs Must Get a Big-picture View of Risks - GRC program owners
at the forum reported risk in their enterprises today is still largely
managed in silos. This compartmentalized view makes it hard to make
enterprise-wide risk assessments and prioritize mitigation efforts. Many
GRC program owners are growing the maturity of their risk programs from
a siloed, to a unified approach--a critical stage that one expert
characterized as a "make or break" moment for maturing enterprise GRC
-- Invest in Unifying GRC Processes and Frameworks - Forum participants
agreed that time and energy spent aligning organizational stakeholders
to a shared framework for describing and assessing risks is a worthwhile
investment. When done right, these shared frameworks provide the freedom
for individual stakeholders to meet their own risk management needs,
serve as a unifying force to take collective action, and enable the
rolled-up views demanded by executive leadership.
-- Measuring GRC Benefits - GRC program owners said they were under
pressure to demonstrate to corporate executives and directors the ROI
for their GRC programs. While convinced of the return on their
investments, members struggle to quantify the value when the benefits
are dispersed across a wide range of stakeholders (in efficiency and
improved risk-based decision making) but the costs are centralized and
"As regulatory requirements grow and business risks continue to multiply, GRC becomes more and more challenging, yet more critical to complex enterprises," said Martin Goulet, director, GRC solutions, RSA. "The RSA Archer community is made up of a diverse and dedicated group of GRC professionals who often collaborate to tackle these challenges. This executive forum brought a cross-section of that community together to address pressing GRC issues, as well as share best practices based on real-world situations. This level of sharing is invaluable to both RSA and its customers, and we look forward to continuing this very successful event."
About Forum Participants
RSA Archer GRC Executive Forum participants represented a wide variety of industries, including healthcare, finance, telecommunications, media, and insurance. They come from functions as diverse as corporate compliance, audit, and IT security. Most have at least five years of GRC program executive experience, and several have led multiple enterprise-wide GRC program efforts.
-- Download the RSA GRC Executive Forum Key Findings Report
-- Download Carnegie Mellon - Governance of Enterprise Security: CyLab 2012
-- Download presentation from author, Jody Westby's on 'How Boards & Senior
Executives Are Managing Cyber Risks'
-- Get more information on the RSA Archer eGRC platform
-- Connect with RSA via Twitter, Facebook, YouTube, LinkedIn and the RSA
Speaking of Security Blog and Podcast
RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world's leading organizations solve their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance and securing virtual and cloud environments.
Combining business-critical controls in identity assurance, encryption & key management, SIEM, Data Loss Prevention, Continuous Network Monitoring, and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.EMC.com/RSA.
RSA, Archer and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other company and product names may be trademarks of their respective owners.
SOURCE EMC Corporation