w h i t e p a p e r

CIO
2
CIO > Today’s IT Leaders on Market Trends

Maximize the Value

from Governance,
Risk and Compliance
Initiatives
IT and business management leaders worldwide agree
that they need a systematic and automated approach to Business Service
manage Governance, Risk and Com­pliance, according Management provides
to a recent survey.
IT organizations with

Although a challenging economy is pressuring IT budgets, CIOs can’t

the technology to
wait for better times to build a strong framework for managing Governance, Risk and simplify, standardize
Compliance (GRC) requirements. It’s an always-on priority. Unfortunately, for many
and automate processes
organizations it has also been a costly one. The amount of man-hours and money
currently spent on manual control processes and audits isn’t sustainable—neither in to meet compliance
today’s difficult environment nor over the long-term.
requirements and
It’s not just the daily grind expenses that pain IT leaders. Potential revenue loss
due to deficiencies in addressing risk, and possible missed opportunities to leverage reduce risk.
process excellence to increase business value, weigh on their minds as well. It’s clear,
then, why building a comprehensive GRC foundation must be a critical part of an
overall IT strategy. To ensure corporate integrity, sustainability and profitability, orga-
nizations must be able to manage, track and automate GRC processes and activities in
a streamlined, coordinated and continuous way.
GRC initiatives driven by a Business Service Management (BSM) platform that
About CIO2CIO:
encompass a strategic approach and that are combined with an integrated software This peer-based thought leader-
solution can bring faster ROI even as companies progress towards an end-to-end ship program analyzes quantitative
approach. A BSM platform can help companies create and document processes and research and tests it via qualitative
build out GRC capabilities in a stepwise fashion—all while defining and managing interviews with actual CIOs. The
resulting executive insight is then
expectations set between IT and the business.
disseminated via CXO’s multimedia
assets. To learn more about the
GRC Efforts: Costs Can Spiral Amid Uncertain Results CIO2CIO program, please contact
Flaws in GRC practices can cause business continuity to suffer and force IT into charles_lee@idgcom.

1 C I O 2 C I O IT G o v e r n a n c e , R i s k a n d C o m p l i a n c e

Top Drivers of IT Governance Initiatives
52%
49%
45%
43%
42%
37%
34%
31%
25%
Increasing Aligning Effective
efficiency and business and information
productivity IT goals management
firefighting mode. And CIOs can ill afford to have IT staff-
ers’ attention drawn away from activities that can help the
business differentiate itself from competitors.
IDG Research Services’ “IT Governance, Risk and
Compliance” survey points to the extra labor and cost
burdens created when IT organizations lack a systemic,
automated approach to managing GRC. More than half
the 200 IT and business management respondents world-
wide report that the amount of time spent on IT GRC
issues has increased compared to one year ago.
More than 15 percent of companies’ 2009 budgets are
allocated to IT governance, risk and compliance efforts.
That’s tilting to the high side when you consider the
circumstances under which many CIOs operate: Ac-
cording to CIO magazine’s May 2009 “CIO Economic
Impact Survey,” 50 percent of the 171 IT leaders surveyed
continue to plan for IT spending decreases, and nearly 40
percent more expect budgets to remain the same (rather
than increase). Bringing GRC costs down is critical to free
up more reduced or flat spend. Much of doing so will
revolve around minimizing the human cycles associated
with GRC and enabling IT to do more initial risk and com-
pliance assessments in-house, thereby reducing external
auditing expenses.
GRC is an important priority for seven out of ten
respondents to the IDG survey —but a significant number
of companies have yet to effectively master GRC manage-
ment. This is evidenced by the fact that a quarter of them
say they are unable to produce audit trails when asked to
identify the impact of GRC issues in their organizations.
While this may not be surprising, it is worrisome. In
2 C I O 2 C I O IT G o v e r n a n c e , R i s k a n d C o m p l i a n c e
All Respondents
U.S.
Non-U.S.
39%
37%
34% 34%
30% 30% 30% 30%
28%
Avoiding Managing Increasing
business IT costs the level of
interruption customer
confidence
the U.S., for example, meeting industry and government
compliance standards is the top driver of IT risk manage-
ment initiatives. But when audit trails to prove adher-
ence to these standards can’t be produced, that driver is
self-sabotaged—which could lead businesses to question
whether CIOs are making the right decisions around such
initiatives. In fact, nearly a third of U.S. respondents al-
ready face challenges in making the business case for risk,
governance or compliance efforts, or all three. They’re not
looking to make building those cases any harder.
Creating Value from GRC Initiatives
U.S. respondents cite staff and time constraints as the big-
gest challenge related to GRC. Worldwide, that challenge
was cited by 40 percent of respondents. In China, how-
ever, overwhelming concerns rest on identifying potential
risks (80 percent) and measuring those risks (70 percent).
The tremendous focus on these points, compared to re-
spondents elsewhere in the world, may reflect the fact that
China is particularly sensitive to any business continuity
risks that might jeopardize its growth, which continues at
a rapid pace despite the difficult economy. Just 36 percent
of China respondents noted staff/time constraints as a
challenge, compared to 45 percent in the U.S. This may
reflect the fact that because labor—including IT labor—
is much less expensive in China, there is less concern
around dedicating staff to manual audit processes.
Thirty-six percent of respondents worldwide find
it difficult to define a governance, risk and compliance
strategy. This one challenge is probably the greatest
contributor to every other challenge organizations face.
Without such a strategy—and the tools to make actionable
the policies it dictates in a repeatable and consistent way—
it’s practically a foregone conclusion that IT labor will
get sucked up by piecemeal, manual tasks, and that the
complexities of the technology environment will lead to
additional process inefficiencies, jeopardizing continuous
compliance and risk reduction.
Despite these issues, survey respondents worldwide
have high hopes for GRC initiative outcomes, based on
insight into what’s driving them (see chart on page 2).
Among the important business benefits that may
be realized by resolving GRC issues are fewer busi-
ness service interruptions (84 percent) and the ability to
quickly launch new business initiatives (82 percent). IT
and business benefits that can be realized from resolving
these issues range from improved data quality to tighter IT
security controls.
To gain these advantages, organizations must aggres-
sively tackle some key components of a sound GRC plan.
And they must do so in a strategic way that delivers value
incrementally and compounds ROI as rollouts expand,
with each payoff helping IT make the case for continuing.
Security and identity management are among the most
commonly used documented and repeatable processes
put in place to facilitate IT governance. This makes sense
given that auditing requires companies to prove that only
authorized individuals are able to access different infor-
mation sources. Configuration and change management
What is Critical/Very Important to Current
Governance, Risk and Compliance Initiatives
82% 81%
75% 76%
72%
70%
67% 67%
63% 63%
Enterprise IT process IT process
security integration automation
software
C I O 2 C I O IT G o v e r n a n c e , R i s k a n d C o m p l i a n c e
also get attention: 71 percent and 67 percent of respon-
dents, respectively, say they have these processes in place
to enforce IT governance. This points to a recognition
by executives that they must reduce the 80 percent of IT
failures—and the business risk they represent—that come
about as a result of poorly implemented change.
Tackling GRC Obstacles
But just how well-documented, repeatable and mea-
surable are these processes? There’s a gap between the
number of respondents who report their organizations
have some of these parameters in place (69 percent) and
those who consider themselves to be extremely or very
effective at implementing consistency and standardiza-
tion of IT processes (62 percent). Interestingly, non-U.S.
respondents are more likely to say they are very effective
at the latter, and also more likely to say their processes are
documented and repeatable.
In any case, without automation in place to remove
human errors, making the case that key IT processes are
as repeatable as respondents would like to believe they
are is challenging. Businesses worldwide recognize that IT
process automation, along with IT process integration and
enterprise security software, are critical or very important
to GRC efforts, with survey respondents ranking them as
their top three requirements for success. More than half
see the importance of IT process automation increasing
in the next 12 to 24 months. Many of these efforts will
All Respondents
U.S.
Non-U.S.
78%
74%
67%
63%
60% 62% 61%
55%
Configuration Asset and Sophistication
management software license of change
visibility and management management
control processes
3
likely focus on expanding automation beyond the basic
administrative tasks many now include to more compre-
hensive tools for activities such as active configuration
management, asset deployment and dynamic resource
allocation.
The ability to automate as well as integrate and or-
chestrate processes across multiple IT groups, tools and
applications will become more critical. Today, when it’s
most important to connect critical processes with IT ser-
vices and applications to assess compliance impact for
requirements ranging from Sarbanes-Oxley to HIPAA,
just 36 percent of companies report that their GRC
initiatives are supported enterprise-wide within their ap-
plications. U.S. respondents are more likely to claim they
have different applications and tools to support various
GRC initiatives, which can lead to challenges in gaining
a comprehensive view of compliance, while non-U.S.
companies are more likely to say they have implemented
a business application that supports an integrated and
enterprise-wide GRC project.
While there is no doubt that companies have
obstacles to overcome, it’s encouraging to see they’re
dealing with some of them by adopting frameworks that
emphasize automation and integration. Just under half
are using the IT Infrastructure Library (ITIL), but that
figure rises to nearly 75 percent when you include those
who plan to implement it. Close to 65 percent of respon-
dents report they currently are using or plan to imple-
ment COBIT (Control Objectives for Information and
related Technology). Together, these frameworks address
increasing regulations, legislation and requirements by
helping IT departments stabilize their operations and
put in place internal control systems to deliver against
business needs.
As companies move to use these frameworks to trans-
late IT actions into clear and auditable business terms,
more of them may want to consider teaming IT and busi-
ness leaders together to set IT GRC strategies. The CIO
performs that function in 72 percent of the companies
surveyed. This is not a surprise; so much of compliance
revolves around demonstrating that the IT environment
the business uses to deliver its information is performing
as expected, is repeatable, and conforms to industry best
practices. But given the importance of measuring com-
pliance as a function of service quality in metrics that
both IT and the business can understand, it’s somewhat
surprising to see that corporate business management
is involved in setting GRC strategy in only 36 percent of
companies. Even chief security officers, chief compli-
4 C I O 2 C I O IT G o v e r n a n c e , R i s k a n d C o m p l i a n c e
ance officers and chief risk managers are represented in
these discussions in fewer than 50 percent of businesses.
If aligning IT and business goals is one of the most
hoped-for governance outcomes—as respondents say it
is— representatives of both parties should be at the table.
Realize the GRC Vision
No two businesses are likely to embrace identical GRC
strategies. But there is great value to be gained by study-
ing current tactics around defining, documenting and
repeating processes—as well as storing and managing
data about the IT environment and then using that infor-
mation to drive a big-picture plan. ITIL and COBIT will
be part of that plan for many companies. But effectively
implementing these frameworks requires software to
codify, automate, integrate and report on the processes
that facilitate GRC management activities as part of daily
IT workflows, while lowering compliance costs and
improving service quality.
BMC’s Business Service Management platform pro-
vides IT organizations with the technology to simplify,
standardize and automate processes to meet internal
and external compliance requirements and reduce risk.
It lets IT organizations take a step-by-step approach to
enabling GRC capabilities, in the context of the portfolio
of services most relevant to the business. That approach
lets IT deliver value in the short term, while building out
the pieces of a comprehensive and coordinated strategy
for managing, tracking and automating the processes
and activities required for meeting multiple compliance
requirements over the long haul.
Technology alone won’t solve all the GRC issues com-
panies face, of course. Assessing processes as they are
and defining what they should be—and ensuring IT staff
has the skills to help perfect them—are equally critical to
good governance, risk and compliance. BSM, however,
plays a significant role in implementing the resulting
GRC strategy, ultimately enabling IT to focus its agenda
and investments on the proactive and strategic projects
that will help the business succeed.
Go to www.bmc.com for more information.