Jeff Jinnett: How to Take a Holistic Approach to Governance, Risk Management and Compliance - part 1

Today’s increasingly complex business landscape is matched by an increasingly challenging governance, risk management and compliance (GRC) landscape. U.S. multi-national companies are faced with a bewildering array of international, U.S. federal and state regulations, depending on the nature of the company’s business. These regulations can include the EU privacy directive, the Basel II Accord, the USA Patriot Act, the Sarbanes-Oxley Act, HIPAA, the Gram-Leach-Bliley Act, DoD 5015.2 and various state data security laws, among others. No wonder that GRC efforts reportedly absorbed more than 10 percent of the average CFO’s time in a group of companies in one survey.  Further, as a result of the current credit crisis, it is anticipated that a wave of new U.S. Federal and state legislation is about to issue that will require financial institutions to dramatically increase their record-keeping, audit and reporting functionality in order to provide more transparency into their day to day operations.

Unfortunately, many companies respond to this GRC challenge by purchasing or developing one-off point solutions designed solely to satisfy the requirements of individual regulations. This could end up being penny wise, but pound foolish. It has been reported that companies relying on one-off GRC solutions will spend 10 times more than they would if they had developed reusable GRC solutions that could satisfy multiple regulations. This suggests that IT departments can act as a leader in the GRC space by helping to identify multipurpose GRC solutions in order to reduce total cost of ownership and increase return on investment for GRC expenditures the benefit of the company. 

Even if you are not directly involved with your organization’s GRC efforts, you might at various times find yourself involved with IT, financial, business or other initiatives that indirectly involve GRC issues. As part of that project team, you might wish to ask yourself whether you would be able to answer the following questions:

  • What are the 30 most important GRC mandates applicable to your company?     
  • What are the top 10 mandates requiring your company to document a process? Analyze risk? Deal with privacy issues? Conduct a security assessment? Obtain a certification? Know your customer?
  • If a serious regulatory breach were to occur, how would you defend against a charge that your company was guilty of gross negligence?
  • If you had only 1 hour to present your company’s overall GRC approach to your CEO or your company’s board of directors, how would you do that?
  • If you had to defend your company’s GRC approach as a witness before a jury, how would you do that without confusing the jury with too much technical detail and jargon?
  • How would you reduce your company’s total cost of ownership for GRC management?

In order to cope with these new business and regulatory challenges, you might want to consider adopting a “holistic” GRC approach that can help you develop multi-purpose, reusable GRC solutions.  See our next blog for ideas for dealing with these challenges.


JJeffeff Jinnett is Governance, Risk Management & Compliance Industry Market Development Manager, US Financial Services Group, for Microsoft Corporation. Mr. Jinnett is a former partner of the international law firm of LeBoeuf, Lamb, Greene & MacRae, LLP (now Dewey & LeBoeuf) and has experience in advising Fortune 500 companies on the use of technology to support corporate governance, risk management and compliance programs. Mr. Jinnett has testified before the US Senate regarding the law and technology. He is a member of ARMA (a records and information management professional association) and the Society of Corporate Compliance & Ethics (SSCE).