Sergej Khackimullin - Fotolia
The Middle East governance, risk and compliance (GRC) market is rising rapidly, driven by regional pressure as well as an increasingly demanding global business regulatory environment.
Compliance is a box that any organisation with international ambitions must tick. But across the Middle East, organisations must also do this if they are to participate in the many government-backed infrastructure initiatives and flagship development projects.
While there is no shortage of GRC tools which, thanks to the power of supplier marketing, can give the impression that successful GRC is just a question of implementing plug-and-play software, the reality is complex, and different for every organisation. Organisations that have been successful in implementing GRC strategies are those that have advanced through consultants and invested in the right skills.
Rajiv Prasad, CIO at Sàvant Data System, said with the major focus now on advanced technology, the Dubai Expo 2020 and Fifa World Cup 2022 in Qatar, there is a growing need for GRC regionally. “SMEs [small and medium-sized enterprises] that have bid for projects connected to these two events are facing rigorous compliance tests,” he said.
GRC regulations are also pushing enterprises to efficiently use their resources. “This will result in improved management and better service delivery, thus enhancing quality offerings and customer experience,” he said.
Prasad said enterprises need to make sure staff are tech savvy, with in-depth understanding of the businesses and markets they serve. As GRC is gaining momentum in the corporate sector in the region, it is essential for organisations to invest in training employees. “Both technical skills and soft skills are needed if organisations are to succeed with their GRC strategies in the Middle East,” he said.
Read more about GRC
- Governance, risk management and compliance goals are tested by the proliferating use of cloud services – and it’s even worse than IT organisations think.
- Governance, risk and compliance processes face numerous complications in the digital age. Companies’ data volumes continue to grow exponentially, while information security threats and regulatory mandates constantly evolve.
- It is important for companies to invest in a GRC process to help boost strategies devised to combat technology-related risks.
Prasad said enterprises in the region need to develop a GRC architecture that is a healthy mix of the old and new tools. The GRC architecture also requires tools that collect and consolidate data like market and credit risks, strategic risks and other analytics. “Data needs to be pulled from both internal and external sources,” he said. “For example, internal data from security and enterprise resource planning systems, as well as external data such as regulatory content feeds.”
GRC is a business enabler, not a restrictor as some may feel, said Prasad. “It aims at enhancing the long-term performance of organisations,” he said. “GRC is not a product, it is a methodology, it’s a discipline of sorts. It is essential to impart more knowledge in this area to give organisations a better understanding of what GRC is all about.”
The benefits of understanding an organisation’s risks are better demonstrated when everyone associated with the business is actively involved.
Strong teams of expert associates who foster strong relationships with customers and suppliers to offer the best solutions will help organisations stand out in the GRC space in the Middle East, said Prasad. “Implementing an effective GRC platform helps to find and analyse data that stands out, which in turn helps to cultivate better regulatory and compliance practices across the entire organisation.”
GRC has aided Savant in coordinating organisational strategies and processes better, keeping all employees, departments and technology in sync. “This has increased transparency and maximised business control,” he said.
Making a case for GRC to C-level executives
Given that most corporate governance issues are not strictly enforced in most companies in the region, it is sometimes hard to make a GRC case to C-level executives.
The main prerequisite for a successful implementation of governance in an organisation is senior management awareness and a willingness to support the project. So, whether it is hard or not, IT teams must do all they can to achieve buy-in from C-level executives.
If this support is given, implementation of governance in an organisation can be delivered, and how easy or difficult it is will then only be dependent on how the organisation operates. “If the organisation adopts good management principles, has well-identified processes and good information flow, from top management down to the operational level and vice versa, implementation will be easy,” said Prasad. “If this is not the case, or if the governance thoughts are only applied to parts of the organisation, it will be more difficult to achieve.”
In the Middle East, there are diverse trends that might influence the take-up of GRC in 2017. “On one hand, there is the economic situation, which can influence the market as long as organisations are concerned about their budget and success rate,” he said. “They are less likely to invest in GRC as the return on investment is hard to quantify in this area.”
However, the region is also witnessing a fast-growing interest in cyber security, and the landscape of cyber threats and risks makes people more aware of the need to invest in anything that might help to protect their organisations and digital assets from cyber risks. “Currently, the specific GRC requirements that organisations are facing are a mix of local and regional legislation and regulations, as well and international standards,” said Prasad.
The importance of understanding local legislation
It is fundamental for any organisation to be aware of all local and regional legislation, regulations and standards, as well as the international standards they need to comply with.
In the United Arab Emirates (UAE), for example, the governments of Dubai and Abu Dhabi – as well as federal agencies – have developed standards in recent years. In addition, the UAE currently has no privacy legislation, but with the increasing demands for this around the world, this situation is likely to change.
“Therefore, any organisation dealing with information should have a process in place that supports the identification of information security and GRC requirements, and the processes should ensure these requirements are adequately addressed and incorporated in the overall GRC arrangements in place,” said Prasad.
As the market matures, the regulatory landscape is undergoing a major transformation, led by regulators in Saudi Arabia, Qatar and the UAE.
“GRC tools are broad and will allow organisations to manage risks across all the domains: enterprise risk, internal control systems, IT risk and business continuity,” he said. “A successful implementation therefore boils down to understanding the business needs, having the technical knowledge to work with the right solutions and then having a robust implementation process.
“Executive stakeholders including CIOs and CTOs [chief technology officers] need to understand the value a GRC practice can bring to their organisation. It is a discipline that will affect every aspect of the business’s daily operations.”