Emerging Regulations: Building the Foundation for a Mature and Compliant GRC Organization
5 min read
The importance of a a well-rounded and supported Governance Risk Compliance (GRC) strategy.
Given its economic impact, any business standard California enacts can impact the rest of the United States and beyond. Here is what can happen for professional services organizations and law firms when the California Consumer Privacy Act (CCPA) goes into effect in January 2020.
The CCPA is similar to the European Union’s General Data Protection Regulation (GDPR). Both rules require data visibility and ease of access from organizations to comply with and remove data when requested by customers.
However, the CCPA and GDPR differ regarding the severity of penalties. While the GDPR has a ceiling of 4% of global annual revenues for offenders, the California Attorney General may fine companies $2,500 per violation and $7,500 for each intentional violation—not inclusive of any action pursued from the individual for security breaches. With fines at that level, any first offense of CCPA can make executives wonder why they lacked having the right systems in place and followed the right processes to comply with data privacy. And, the CCPA could potentially lead other states to adopt their own data privacy penalties.
While the headlines have recently been focused on CCPA and GDPR, the US Department of Defense has its own data privacy rules requiring prime contractors and their subcontractors (including organizations acting as sub-processors) to follow stricter security compliance requirements. To this end, the Office of the Under Secretary of Defense for Acquisition and Sustainment has worked with stakeholders to develop the Cybersecurity Maturity Model Certification (CMMC) to enhance the protection of controlled unclassified information (CUI) within the supply chain.
Nearly all professional services firms face these challenges. While it is easy to immediately focus on the details, organizations must first think about how threats and regulations will potentially impact their business activities. Fortunately, with the right structure, systems, processes, and procedures in place, their employees can understand CCPA, GDPR, and any other rules involving Governance Risk Compliance (GRC)—a concept developed by Open Compliance and Ethics Group.
What is Governance Risk Compliance (GRC), and why does it matter?
From an IT perspective, GRC consists of the following elements:
- Governance: Managing IT operations aligns in a way that supports the organization’s business goals.
- Risk: Having a comprehensive IT risk management process that rolls into an organization’s enterprise risk management function.
- Compliance: Making sure that IT systems—and the data contained in those systems—are used and secured properly.
Installing and managing a comprehensive GRC practice at your workplace in order to operate as a mature organization and be ready for things that might go wrong requires establishing best practices in several areas.
For example, some manual processes, situational responsibilities, dynamic rules, and access issues fall under GRC. Not only do these standards need to be adhered to internally, but third parties and vendors should be held to these high standards as well.
Most importantly from a regulatory standpoint, due to the new developments of GDPR and CCPA, GRC practices and strategies that oversee your data present a big challenge for most firms. You need an understanding of what physical and digital data you have and its location, accessibility security status, and effects on your process flow. Security protocols and data storage and transfer standards are essential.
To meet regulatory requirements, you can even be requested to erase physical and digital data. Other types of functionality can be required as well, such as data masking to transform and keep sensitive data private. Law firms may need ethical walls to separate data and avoid conflicts of interest.
Enterprise Resource Planning (ERP) and other systems that underpin GRC
Moving to a future-ready, centralized Enterprise Resource Planning (ERP) or core practice management system is a key step to establishing a mature Governance Risk Compliance (GRC) strategy, firm-wide. By simplifying your entire global IT landscape—including ERP, customer relationship management (CRM), and human capital management (HCM) systems that hold lots of customer and employee data—you can react quickly to any data visibility and ease of access demands from any ruling body.
By having these aspects in place, firms can also be better prepared to comply with legislation around CCPA and GDPR. Progressing your organization to the digital age will help you with completeness when tasked with erasing requested data and related tasks, as well.
How GRC can benefit you
When implemented properly, a well-rounded and supported GRC strategy can result in enhancing a firm’s reputation and help to avoid fines. The efficiency of team members in individual departments can potentially improve, as well. They’ll have a framework to know where data is, who can access the data, and what ethical walls exist to indicate where the information stands regarding GRC.
Moreover, the benefits go beyond just improving trust between employees and clients. The Big 4 accounting firm KPMG reports that “A successful GRC implementation can result in savings through operational efficiencies, labor cost savings, and long-term IT cost reductions.”
The best management of GRC provides you with an organization that works in unison, anticipates potential risks, prioritizes actions, and leverages a single source of contact in your IT operations to discover quickly where and how your information is being stored instead of having to search through many disparate systems. Moving to a modern platform with regular updates and enhancements to security operations can help in the management process, too.
Take action now
Fulcrum Global Technologies (Fulcrum GT) can be your partner in meeting Governance Risk Compliance (GRC). As a client and Independent Software Vendor of the IBM Cloud, Fulcrum GT offers a platform that provides privacy, resiliency, flexibility, control, and disaster recovery of your data. Law firms that use Fulcrum SAP-based ERP systems have a database that provides these benefits and more to their clients as well as their team members.
NOTE: The postings in this blog are the author’s opinion and don't necessarily represent the positions, strategies or opinions of IBM.
Drew Blazaitis is an ongoing expert in business operations technology at Fulcrum GT.