Companies struggling with compliance demands in search for productivity
Companies are struggling to reconcile governance, risk management and compliance requirements with the demand for increased productivity. A report from governance, risk management and compliance (GRC) specialist su53Solutions has found that fear of regulations and directives designed to improve corporate responsibility is costing the UK economy dearly, both in terms of innovation and productivity.
This claim is based on a study of 200 large-scale enterprises, which reveals that fears around protecting corporate reputation and complying with regulations lead to losses of more than £1 million in revenue for the average UK Plc, coupled with findings that highlight how each of these enterprises suffers approximately 516 days in lost productivity each year due to ineffective GRC controls.
"Ever since directives such as Basel II and Sarbanes Oxley came into force, businesses have been working hard to eliminate incidents of risk, such as corporate malpractice that impact company reputation," said Martin Proctor, managing director su53Solutions. "Unfortunately, this has resulted in a climate of fear whereby the majority of controls implemented by enterprises are reactionary measures that create more problems than they address."
Three quarters of the businesses surveyed on behalf of su53Solutions reckoned regulations and fear of reputational damage are stifling innovation and a similar percentage of CIOs admit that employees in their organization will turn a blind eye to GRC in order to prevent a loss of productivity. The most common example of this is workers temporarily giving their colleagues their computer log-in details without the approval of IT (thereby bypassing GRC controls) while more than 40% of the companies questioned gave third party suppliers such as IT outsourcers responsibility for implementing these controls.
These figures chime with the results of a report produced for the National Computing Centre last year, which found that most senior managers would readily circumvent corporate risk management policies. More than two thirds of the companies surveyed for the NCC did not have formal risk assessment processes.
Speaking at the RSA Europe Conference in London in October, Art Coviello, president of RSA (the security division of EMC) said companies needed to embrace risk-based compliance. He referred to a number of steps organizations could take to "align their programs to the heightened demands of the new compliance landscape", including establishing an enterprise governance, risk and compliance (eGRC) strategy that consolidates all of the information necessary from across the organization to manage risk and compliance and provide visibility into controls.