ISACA (an international professional association focused on IT Governance recently published an article written by Saama’s CSO, Sagar Anisingaraju that discuss the next generation Social GRC, the advent of big data and the ubiquitous nature of data pervading all walks of life, including “wearables, driveables, flyables and scannables” (Mary Meeker, KPCB), as redefining the GRC landscape, in particular when it comes to social media.
In a recent blog post titled “GRC Will Be a Performance Platform,” French Caldwell argues that GRC (governance, risk management and compliance) platforms are not going to be embedded within enterprise systems by just orchestrating risk management, but instead should orchestrate business performance. Big data may be forcing this bridge to be built sooner rather than later.
Current-generation GRC processes and systems mostly look inward—at internal processes, segregation of duties and traditional IT risks. With these processes, companies achieve a fair amount of maturity to assess and arrive at meaningful assertions on the control environment. The advent of big data (which is pervading all walks of life, including wearable, driveable and scannables devices) is redefining the GRC landscape, in particular when it comes to social media.
You are not alone if you are having social GRC anxiety.
With more than 80 percent of data living in social media and other unstructured sources, ignoring these signals may be costly not only from a brand-reputation perspective, but also from a regulatory-and-compliance lens. Whether it is salespeople having off-label conversations, executives overreaching on Twitter, product teams unintentionally sharing intellectual property or disgruntled employees venting on Glassdoor, the distinction between risk view for regulatory compliance and business performance is closer than ever.
It is about time the internal audit and risk officers and line-of-business owners partner to create strategies to address these issues.
If your enterprise does not have a social media engagement policy, the first step is to define one. Line-of-business heads need to understand the variety of media outlets and create dos and don’ts for each. Internal audit and chief risk officers (CROs) can look at each of these policies and identify the criticality and threshold crossovers between business performance and regulatory risks. For example, while marketing may encourage employees to tweet, certain topics may be off limits.
Once a clear social media engagement policy is defined, a simple-to-use monitoring system should be put in place. Today’s employees, partners and competitors have tools to spread data at faster speeds than ever before. Having a well-rounded, near-real-time monitoring system that separates noise from signal is not trivial. Key opinions, emotional attachment and topic analysis of any conversation that is happening around your brand needs to be analyzed and quantified. These quantifications have to be mapped back to specific business risks and line-of-business performance metrics that you are managing. Fortunately, technology is available today to do the analysis in real-time.
After mapping the social impact to internal GRC and business-performance functions, how you respond and act upon them is purely a business-criticality issue. An IP-theft conversation about your product happening in gray-market websites may need to be immediately addressed by your legal department. Executives’ inadvertent tweets about confidential information may require you to make unplanned disclosures.
The impact of social GRC and big data on enterprises is bringing the emergency-response teams from business and audit closer than ever. Adding a social-GRC framework, such as the one described above, can be an incremental addition. Your current GRC investments should be fully protected and integrated with this new bridge that you are building within line of businesses.