GRC and IT have more in common than they think

By Riaan Bekker, Force Solutions Provider at thryve

If companies want to prosper and innovate through digital technologies, they would be smart to begin aligning these ambitions with governance.

Consider a straightforward yet revolutionary concept: Know Your Customer or KYC. It goes without saying that businesses that didn’t know its customers weren’t successful for long. But the added benefits of digital technology have raised the concept to an entirely different level. Today you can learn so much more about a customer and then tailor services or strategies towards them. Just being able to draw a customer’s history right there as they sit with a company representative is very powerful and much more possible, thanks to digital assets such as data.

But here things also get murky. Putting words such as ‘customer’ and ‘data’ in the same sentence raises problems such as security and regulation. It’s hardly the only example: practically any part of a business that uses digital data also invites regulatory concerns including security and appropriate use of information. What keeps those parts of the business honest are policies reinforced by governance.

So it makes a lot of sense for a business’ governance and technology areas to collaborate, something highlighted at the recent Governance, Risk and Compliance 2019 conference where thryve was an exhibitor. Speaking at the conference, Capitec legal advisor Isabella Hofmeyr-Pretorius raised the important relationship between governance and technology:

“A strong GRC culture across the organisation helps guide and promote evaluation and management of business processes, risks, compliance and strategies, to optimise the overall performance of the organisation.”

She cited King IV, specifically principles 12 (“The governing body should govern technology and information in a way that supports the organisation setting and achieving its strategic objectives.”) and 13 (“The governing body should govern compliance with applicable laws and adopted, non-binding rules, codes and standards in a way that supports the organisation being ethical and a good corporate citizen.”).

If you combine those two, the role between technological innovation and governance become very clear. It also puts to rest any notion that governance can be a box-checking exercise, since the fast-moving and dynamic world of digital innovation is not conducive to that. If modern innovation strategies such as DevOps teams are expected to flourish, GRC needs to run alongside them. Else it will be sidelined, which is particularly dangerous in an era where a small digital misstep can devolve into a major problem due to its speed and close proximity to the business’ success.

How a business conducts itself is its own business, if you pardon the pun. But it is critically important in today’s tech-forward world that there is internal agreement on that conduct. To do this, IT and Governance people should build closer relationships. They already have much in common, neither being strangers to complexity, data and reaching across silos in the business. Modern GRC integration platforms such as Riskonnect create common ground for those conversations. Technology can do a lot to elevate GRC’s role as a conduit for strategic insight. The more GRC understands technology the better it can help guide the ethics and compliance so that technologists can innovate unhindered.

I’d go as far as to say that GRC and IT have a lot in common. But because they tend to approach from radically different places, they often don’t see this. Yet in an era where data fuels business, they need each other. In fact, it’s not surprising to see more GRC or IT executives who have a foundation in the other discipline.

GRC is subtle enough that conversations can start around IT governance itself, then expand that into other areas of the business. In today’s modern business, they share a lot. The smart play is to start building those relationships and exploit the overlaps.