AIIM Studie: Managing GRC

Der internationale Dachverband der ECM-Branche, AIIM intl., hat eine neue Marktstudie zum Thema "Managing Governance, Risk and Compliance with ECM and BPM" herausgebracht. Die Datenerhebung war im April 2014 weltweit erfolgt. Die Studie ist nach Anmeldung auf der AIIM-Webseite frei herunterladbar.

Die AIIM ist dafür bekannt, in regelmäßigen Abständen Marktuntersuchungen zu aktuellen Themen durchzuführen. So ist auch die aktuelle Marktstudie "Managing Governance, Risk and Compliance with ECM and BPM" (http://bit.ly/AIIM-GRC) besonders im Vergleich zu den Ergebnissen vorangegangener Studien interessant. Der Grundtenor, dass man sich zu wenig um das Thema Governance, Risk Management und Compliance kümmere, hat sich in einigen Bereichen sogar verstärkt. Die Möglichkeiten von ECM Enterprise Content Management zur Verwaltung und Erschließung aller wichtigen Informationen und von BPM Business Prozess Management zum Steuern und Nachvollziehen der Prozesse werden bisher nur unzureichend genutzt.

Das Inhaltsverzeichnis und die wichtigsten Ergebnisse der 15seitigen Studie im Original:

Contents

About the White Paper
   About the White Paper
   Process used and survey demographics
   About AIIM
   About the author
Introduction
   Introduction
   Key Findings
Drivers for GRC
   Drivers for GRC
   Risks
   Challenges
   Stakeholders
GRC Issues
   GRC Issues
   Managing Regulatory and Standards
   Compliance
   Managing the Policy Lifecycle
   Managing Operational Risk
   Managing Audit
   Managing Supply-Chain Risk
Use of ECM/RM/BPM
   Use of ECM/RM/BPM
   Role of ECM/RM/BPM in GRC
   Current Usage
GRC Solutions
   GRC Solutions
   Solution Selection
Opinions and Spend
   Opinions and Spend
   Spends
Conclusion and Recommendations
   Conclusion and Recommendations
   Recommendations
Appendix 1: Survey Demographics
   Survey Background
   Organizational Size
   Geography
   Industry Sector
   Job Roles

Key Findings

Drivers

• Reputational risk is twice as big a driver for compliance (44% of respondents) as avoiding fines and penalties (20%). 32% consider “being a good corporate citizen” to be the prime driver.
• Keeping policies and procedures up to date is a bigger challenge (40%) than keeping up with new and changing regulations (26%). Managing the paperwork to demonstrate compliance is given as the biggest challenge by 19%.
• Security risk (56%) and information privacy risks (52%) are of extreme concern. Then come reputational (48%) and regulatory risk (42%). Financial and operational risks are rated less highly, but are of extreme concern for 35% of our respondents.
• There is a very wide spread of roles deemed to “own” the GRC program, with Legal (14%) or the GRC committee (12%) most likely – although only 27% have a GRC committee.

GRC Issues

• Adoption of best practice in managing the policy lifecycle is poor. 38% have no scheduled reviews, 28% have no central store for policies, and 18% don’t capture employee acceptance.
• 47% struggle with multiple systems to document compliance requirements and 45% use manual processes to track performance against requirements. 19% use home-grown systems that they admit are not efficient or effective.
• The biggest issues with managing operational risk are lack of visibility and control (50%) and no way to track key indicators (27%). Not having a central system for records is an issue for 30%, and 25% struggle to provide management with timely reports.
• 45% of respondents find their biggest challenge with internal audit operations is that processes are manual and inefficient. Having multiple and disparate systems to manage audit information is an issue for 35%.
• Managing supply-chain risk is made difficult by vendor information not being stored in one place, nor being up-to-date for 35%. Gaining risk visibility of vendors and classifying them by risk profile is problematic for 25%.
• 81%.support the view that “GRC is good for business”, although there is crossover with the 42% who consider it to be “a necessary evil.”

Use of ECM/RM/BPM

• ECM and RM are used widely for policy management (69%), BPM for tracking and resolution (20%) and GRC tools for managing IT threats (30%), but all four are used across the range of GRC management.
• 67% see ECM, BPM and RM as essential to solving GRC problems. 27% would like to use these tools for GRC, but the systems they have are not well optimized for this purpose.
• 40% feel that they are achieving regulatory compliance by using their ECM/RM system, but 78% feel they could get much more value from these systems.

GRC Solutions

• Ability to integrate with existing infrastructure (43%) and ease-of-use (35%) are given as the most important selection factors for GRC solutions, along with price (37%).
• 46% of the organizations surveyed plan to spend more on GRC software or services in the next 12 months, including 15% spending more on software licences, and 19% on vendor implementation services.

Die vollständige Studie im Download.