Governance as opportunity: Governance, risk, and compliance in the cloud


One of my key themes is that of governance as enabler. As I proposed in my keynote on the transformation of business at the recent AICD conference, ‘Governance should focus as much on enabling innovation and taking useful risks as about managing and mitigating risk’. Over 93% of the 600 or so company directors present agreed with me

Today I’m at the Implementing Information Infrastructure Symposium, where I earlier gave the opening keynote on The Future of Information Infrastructure. Looking at governance from the perspective of information technologies is very instructive. Governance is a top priority for CIOs and IT departments, not least because there is so much that can go wrong in information management, notably from losing or exposing valuable data.

GRC is the acronym used by industry hands describe Governance, Risk, and Compliance. Compliance is becoming increasingly prominent – arguably even dominant – in technology, because government agencies are legislating on how consumer data should be protected, what information needs to be kept, the audit trails required, and even where physically data can be stored. The US SEC has sufficient expectations of companies’ data storage and retrieval capabilities to mandate hefty fines for every day taken to respond to requests for data.

This of course creates significant costs for organizations simply to comply with regulations. In turn this has given rise to an entire industry for data backup, archiving, and discovery, and storage that meets specific government requirements. In addition there is the potential for even heftier costs if things go wrong, such as losing critical business data.

Where all this can become an opportunity is in the rise and value of big data. MIT’s Eric Brynjolfsson recently released research that showed organizations that use ‘data-driven decision-making‘ have 5-6% higher productivity than their peers that do not. McKinsey’s recent report on big data suggested corporate and government value in the trillions for using data effectively.

Approaching this the right way can start to integrate the costs and benefits of managing data. Managing data effectively can be designed to meet both compliance and risk management requirements, as well as the opportunities from mining that data for value. Governance can and should encompass both containing the downside and building the upside. The frameworks and processes stemming from governance need to be about maximizing value creation.

To this point, Benjamin Woo, who is IDC’s global lead for storage and big data, spoke about some of these issues at the conference.

According to IDC research, we are moving from 800 Exabytes of data created in 2009 to 35 Zettabytes (ZB) in 2020. Of this, 5ZB will reside in cloud services, and an additional 12ZB will be touched by cloud. Just 30% of the data generated is by companies.

Technologies exist for data discovery and mining, creating massive opportunities from this mass of data, but these tools are not yet mature. What needs to happen is that governance, risk, and compliance becomes part of the process of creating business value.

More generally, I think it is important to note that IT governance and corporate governance have long been treated as separate. As I pointed out in my keynote this morning, technology – including in data management – is increasingly central to corporate strategy. 

We should take as a given that corporate governance needs to be focused on as much on innovation as on risk control. That must be manifested in how technology is implemented and managed. Corporate governance and IT governance need to come together, both focused on value creation in equal part to pinning down risk and meeting compliance requirements.