Failures to adequately deal with governance, risk management and compliance (GRC) initiatives are costing the UK economy £1.5bn annually, according to new research. The research, conducted by GRC firm su53Solutions, also suggested that regulations and fear of reputational damage are stifling innovation at UK businesses.
According to the findings from 200 CIOs at businesses with more than 1,000 workers, fears around protecting corporate reputation and complying with regulations result is losses of £1.13m in revenue for the average UK company each year. Adding to this issue is the fact that each company loses over 500 days worth of productivity each year due to ineffective GRC controls.
"The figures may be the tip of the iceberg," Martyn Proctor, managing director at su53Solutions told CBR. "Lots cannot be measured and if businesses were being truly honest and really look into it the figure could be far higher."
The majority (74%) of CIOs said the felt regulations and fear of reputational damage are stifling innovation, something that is a critical growth strategy for any company. Regulations such as Sarbanes Oxley, and to a lesser extent the CIO’s powers to fine companies for data breaches, are creating a climate of fear where many processes are reactionary measures. These can create more problems than they actually address as companies can quickly lose control over their GRC processes, Proctor said.
"Do you need to have all those controls for Sarbanes Oxley? You may have lots of audits and sets of controls but they are all doing the same thing," he said. "Fewer controls will mean more efficiency and the brave [those that take action] will succeed. There will be less panic and more efficiency. Companies looking at this will need to decide what really matters [in a GRC project] and integrate it with the business."
"Good CEOs will see this [the stifling of innovation] as an issue," Proctor added. "A lot of businesses feel impeded by controls and regulations. It could frighten companies off expanding internationally, for example. You will succeed if you take risk management safely – put in place controls to monitor if something is not working as it should. The worst thing a company can do is nothing."
Workers worried about loss of productivity have an alarming habit of by-passing GRC controls, according to the survey. In 69% of enterprises workers will temporarily give their colleagues their computer log-in details without the approval of IT, while nearly half (42%) hand over the responsibility to implement GRC controls to a third party.
"Outsourcing GRC controls is madness," Proctor told CBR. "Giving control of your data and systems to a third party is absurd. You need specific terms in contract with exact controls and so should be doing that yourself. If you give it to someone else to sort out, whose fault will it be if something goes wrong? The market will see it as yours, so you need your own controls and be proactive about it."