by Steve Schlarman – April 16, 2010
Greetings from the Archer GRC Summit - day two. 'You only know something when you actually know something.' While it sounds like a statement from the renowned Yogi Berra, it strikes true that one can only be certain of something when one has all the facts. Basing an opinion on perception or unknowns is a slippery slope and can be a hazardous practice. Even as children, we are taught the dangers of believing, or worse spreading, rumors without knowing the whole picture.
As risk professionals, however, we work every day with the unknown. One of the most revered equations used in our profession, risk = impact * likelihood, has, as one of its fundamental components, a guess. Well, in most cases "likelihood" is an educated guess but nonetheless, an unknown in many respects.
One of the key goals of a risk management process is to reduce the unknown to a point where business decisions are based on facts. Today at the Archer Summit, I heard many discussions focused on the improved collection, organization and correlation of facts to fuel risk based decisions as part of business processes. Risk management relies on data translated into information, and then resolved with prudent action.
These discussions fall in line nicely with the fundamental goals of technology platforms in support of governance, risk and compliance programs. For instance, wouldn't it be nice to know the number of events alerting threshold system utilization for servers supporting a critical application when determining the likelihood of a business interruption risk for the related business process? Or wouldn't it be nice to understand the nature and frequency of access attempts to sensitive data when assigning the magnitude of risk to an information asset? There are many types of these examples where empirical data can bring clarity to a risk calculation that many times must be based on anecdotal analysis.
These examples highlight the evolution of risk management with the convergence of IT and Business GRC. Data for many of these situations can be found on IT systems. But the value from a risk perspective is when the data is applied to business situations. Looking at the enterprise realm, this data can be everything from system events on physical devices to business transactional data. The combination of empirical data with the intelligence of risk professionals brings tangible results to the risk management process.
The presentations I heard today bode well for the progress of GRC. The integration of business data with process, supported by the Archer platform, indicates a general evolution of the business value of GRC programs. This also indicates the continued need for GRC processes and technical platforms to 'talk to each other'. For IT professionals, providing an infrastructure that can give the business the information it needs is still an imperative. For GRC professionals, we must still seek more avenues to leverage operational information to reduce our 'guesses' and support our risk analysis with actual data.
In the end, the GRC community continues to be cognizant of the value of organizing and using data for more informed decisions. Data plus organization equals information and facts, which clearly improve the understanding of the actual situation. From there, intelligent and responsible actions can be made because we all know the fog that rumors, hints and assumptions can bring to our thinking.