The increasing globalization of markets, expansion into new industries and regions, and the growing number of mergers and acquisitions compel enterprises of all sizes and types to comply with a number of rules and requirements. These include new and emerging regulations, along with well-established ones, such as the Sarbanes-Oxley (SOX) Act, the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI DSS).

Even within organizations, "compliance knows no boundaries," according to Merritt Maxim, senior product marketing manager at CA, who uses HIPAA to illustrate his point: "HIPAA"s regulations — and penalties — apply to all departments within an enterprise: medical, IT, HR and sales, as well as the executive and administrative staffs. That"s why enterprises need to take a top-down approach and embed the culture of compliance throughout the organization. Everyone should own compliance."

The key to creating such a culture, Maxim says, is to take a C-level view of governance, risk and compliance (GRC). Senior executives must be proactive in managing risks and compliance, while also remaining agile enough to adapt to changing business demands.

One way to achieve this is by centralizing GRC. "Businesses must deal with a large number of laws and regulations, but there is a lot of overlap within the organization," Maxim points out. "Centralizing GRC is more efficient than having each affected department deal with regulations on an individual, manual basis. Centralizing saves time and resources and also reduces duplication."

Meeting the Challenges

Managing GRC can be a daunting challenge. To deal with it, many organizations initially focus on risk and compliance, according to Maxim. "They gather and document information on their processes and practices," he explains, "and once those pieces are in place, they can move on to the governance component of GRC. At that point, companies understand their posture on risk and compliance, and they want to find ways to manage those initiatives even more effectively."

Maxim recommends a centralized solution for GRC, such as the CA GRC Manager, which integrates with other CA technologies for automating key IT controls in order to provide a comprehensive solution for the management of governance, risk and compliance programs for IT. "By centralizing all the existing processes and methodologies in CA GRC Manager," he says, "organizations get fact-based decision-making and oversight of the IT risk and controls, and they get stronger compliance as a result."

The biggest challenge in the GRC arena, Maxim believes, is not the technology — it"s the people. "We need to break down the silos between people and departments and educate employees on the value of compliance on an enterprise-wide level," he advises. "Unfortunately, people often think they have more important things to focus on than compliance. So it requires a C-level executive to get people thinking in a new way and accepting their ownership of GRC."

To handle governance, risk and compliance effectively, enterprises should follow industry best practices. According to Maxim, these practices include:

Looking to the Future

The future of GRC promises more — more rules and regulations, more technology innovations and compliance solutions, more consolidation with other tech applications and more education for employees.

And you can be sure that the regulatory environment will continue to evolve. "Expect to see changes in U.S. laws and regulations in 2009 when the next president takes office," Maxim predicts. "He or she may make the regulations more or less stringent, but, either way, companies need to be prepared.

"Executives and managers should engage their counselors and keep up to date with what’s happening in the compliance arena. They must be diligent about continuing to test and audit and to educate their employees."

The final message Maxim want to impart is, “Don’t be complacent. You need to always be alert and diligent.”