How to use BI to clear a path through the GRC minefield

Good BI cuts risk and produces value

By Gavin Morrison, MD of Cubic Blue, a Knowledge Integration Dynamics company

Governance, risk and compliance standards and practices were established to safeguard against excessive risk-taking by financial services organisations with depositors’ funds, yet in the financial crisis of 2007-2008 they failed to live up to expectations.

That ushered in round two, a new and additional set of governance, risk and compliance standards. Now you’re expected to live up to them yet they are far more stringent than before and place a nearly onerous burden on your IT systems. Executives, who may know very little about IT, are subject to severe penalties if the terms of good governance, risk and compliance policies, standards and practices are not met. So how can you be sure your organisation is top of the pops?

Data Minefields are best avoided
Even slow moving minefields are best avoided.

Image Credit: Christopher Michel

A swarm of jargon will barrage you as you investigate possible solutions from the now ubiquitous big data, to metadata, warehousing, mapping, re-engineering, data architecture, governance, framework, and more.

Essentially, though, what you need to do is know who deals with your data, when, how, why, where it goes, who sees it, what they do with it, and check that against policies of what’s acceptable and what’s not.


The problem today is enterprise systems are experiencing a revolution of sorts. Data is collected, managed, stored, retrieved and deleted almost anywhere across the digital landscape. It is no longer confined to your basement in IT systems over which you have complete control. It is also collected very quickly, in some instances, must be used very quickly, and destroyed with equal speed.

It makes the environment difficult to control because there can be many systems in many different places working rapidly with many different people.

In large businesses your problem gets worse. Many people interact with the data but they may not all perfectly understand the corporate strategy nor the implications of governance, risk and compliance. They may also not know who is accountable and responsible or who to turn to for help.

You need an IT private investigator

What you need is a technology sleuth, an IT private investigator or PI, to snoop through the systems and find out what’s happening, who’s doing what, where, with what data and when.

  1. You need to manage the network and the applications it serves to your users so that you can see who is accessing what and when.
  2. Then you need to automate the compliance controls through policies that direct people as to what they can and cannot do.
  3. Automated systems protect the data and information from erroneous use as well as unscrupulous activities by those inside and outside your organisation.
  4. Embedding compliance and control activities in business processes ensures adherence throughout your organisation.
  5. Effective monitoring closes the loop.

It is absolutely crucial to know that technology alone will not take care of the governance, risk and compliance needs of your business. There must be effective strategy coupled to potent execution. It needs to be proactive and systemic. And that requires upfront planning, particularly in light of the broadened scope of IT systems and data to the web and the cloud.

Determine the killer risks

Your organisation will face greater risks in specific parts, services, customer segments, markets and products. Those are where you expend your greatest effort and exact most stringent control and reporting. They also form the ground zero starting point where you can iteratively roll out your governance, risk and compliance programme that mitigates your greatest exposure.

3 ways BI helps you

Business intelligence or BI will help you:

  1. Document and test controls
  2. Find the risk categories and monitor them
  3. Develop and communicate policies for training and change

Those steps relate to business activities such as checking to ensure budgets are approved, vendors are approved, contracts are qualified, reporting is accurate, whether or not service providers are achieving service level agreements, check absenteeism rates, average ages of employees, frequency of performance reviews and many more.

Effective risk management employs business intelligence to map governance, risk and compliance activities and systems to value, aligns the behaviour of your organisation’s people to creating value, builds a profile of performance versus controls, and monitors, predicts and reduces risk by improving performance.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s