By Lee Dittmar
The fact that so many companies are still struggling to turn data into useful performance information speaks both to the enormity of the task and the fact that they are dealing with an ever-shifting goal line. Information Governance is the missing link; it’s the connection between the senior executives and board directors and information technology projects, priorities and processes. It’s the combination of strategies, policies, procedures and enablers that meets an enterprise’s information needs
Innovative ideas don’t always follow the development sequence we would like or imagine. The timing of new priorities is sometimes driven by factors not of our own design or choosing. Such is the case with the need to improve the efficiency and effectiveness of governance, risk and compliance (GRC) programs to better manage and govern 21st century companies. Because of the high-profile corporate governance failures and frauds that caused substantial economic damage, we believe improvements are necessary. Thanks in part to the work of the Open Compliance and Ethics Group (OCEG), we believe we must align corporate governance, risk management and compliance programs in a manner that not only protects, but also enhances, business performance. The three GRC elements no longer live three separate lives; rather, they are inextricably linked and mutually dependent. As we now know, they are individually— and collectively—reliant on access to high-quality information. And now we also know that we need the right IT assets and priorities to address GRC information needs.
For decades, information technologists were the architects of information systems to support transaction processing requirements and manage data and storage needs. More recently, technology priorities included enabling Internet commerce. In short, the IT specialists were doing what they believed brought value. And while there have been significant improvements in IT functionality, our experience is that most GRC procedures and controls are still primarily manual, leaving room for error and inefficiency.
Presentations at the first OCEG IT Forum, including a keynote address by Deloitte Consulting’s CEO, Doug Lattner, highlighted the essential role information technology must play in improving governance, risk management and compliance. At stake is the fundamental capability to help bring companies up to par with today’s requirements for efficiency, accountability and transparency. We believe it is important to get IT assets in place that can produce the right information, in the right format, in the right place and at the right time to enable business leaders to achieve GRC goals and objectives.
This will not be an overnight delivery. But the journey must begin somewhere. We believe there is an essential building block that bridges the gap between GRC and technology. We call it “Information Governance.” This concept goes beyond transactions, analytics and data. Sure, it includes some of the messages from the OCEG IT Forum about privacy, security and lifecycle management, but it also goes beyond those. At its essence, we believe Information Governance is the missing link; it is the connection between the senior executives and board directors and information technology projects, priorities and processes. It is the combination of strategies, policies, procedures and enablers that meets an enterprise’s information needs.
Let’s take a quick look at how an Information Governance strategy applies in each case:
Governance. Boards, individual directors and senior executives are experiencing unprecedented pressure and visibility as to how they perform their oversight roles. Executives have to keep boards informed about matters related to performance, compliance and risk. Directors want and need to know more about the company’s situation with respect to operations, employees, customers, vendors, strategic partners, government and regulatory agencies, analysts, investors and the general public. In other words, both boards and management need better information. Information Governance can and should lead to establishing new projects and priorities for IT.
Risk. In an increasingly interconnected world, risk is pervasive and timeless. IT and telecommunications advances have broken down barriers and sped up contact, and the global nature of business has magnified the challenges. Consequently, risk management, including the need for more proactive risk measurement and monitoring, has become far more dynamic and less event-based. IT will play an increasingly important role in all risk matters as corporate leaders recognize that risk management is an integral part of an organization and not a separate function. And risk-intelligent processes should be integrated into daily operations. We believe that information governance is key to this linkage.
Compliance. Companies are now four years into changes related to compliance with Sarbanes-Oxley legislation. One overarching lesson from this experience has been that today’s compliance challenges are really information challenges. Examining controls for financial reporting to address Section 404 compliance has forced companies to perform a thorough evaluation of financial processes and IT systems. Many companies found that their IT assets and approaches were often barriers to, rather than enablers of, high-quality financial information. SOX compliance also revealed the reality that technology was not widely used for internal control and compliance management purposes. Many companies found an extensive lack of awareness, understanding and discipline around the use of IT.
The Comon Denominator?
High-quality information is the joint responsibility of the executive team, the IT team and those who lead the charge on GRC. Information Governance is about having the right information, in the right form, at the right place and at the right time. It’s about managing information—past, present and future. To be effective, it will require close collaboration and communication among all GRC elements. And it starts with the executive team promoting it as a strategic imperative.
I’m often asked why the alignment between IT and the business user is so elusive. The fact that so many companies are still struggling to turn data into useful performance information speaks both to the enormity of the task and the fact that they are dealing with an ever-shifting goal line. If there’s a single “ah-ha” in all of this, it is that getting access to the information needed for effective and efficient governance, risk management and compliance is now causing company leadership to push information technology even more to deliver on the fullness of its promise.
Using insights derived from an Information Governance strategy, you can increase the likelihood that the power and possibilities of IT are much better leveraged for automating and monitoring key processes and controls; contributing to the efficiency of risk identification and mitigation; and supporting boards and executives to help keep strategy and performance aligned. Let’s get this conversation started!
Lee Dittmar is a Principal of Deloitte Consulting LLP.