Corporate information silos create compliance inefficiencies cost an organization money and time, but GRC tools can help break these system and information silos. Information isolation comes from broken systems, both human and electronic. When these human systems act independently, businesses repeat policies and processes that can lead to inconsistencies. Those inconsistencies can lead to compliance issues.
When computer systems act independently, security gaps can form. All of these lead to audit inefficiencies that cost a company money in terms of productivity. Those costs multiply when applied to compliance and audit because the information silos lead to confusion over responsibilities and accountability. That adds hours and cost to the audit process. Finding the right GRC tool to automate these communications breaks the silos by connecting people and systems.
GRC Automation Breaks Information Silos
What are information silos?
Information silos refers to either a management system that does not play nicely with other systems or an organization where information does not flow between departments. Whether discussing an information silo in terms of people or computers, the growth of the disconnect can be related to programming. Just like machines, people must be taught how to act in given situations. Corporations that encourage interdepartmental fiefdoms will find themselves facing this kind of disconnect.
What creates system information silos?
An IT organization is at a greater risk of silos than other organizations because there are two separate types of myopia that can affect the business.
The first type of isolated information would be technological, or within your company’s systems. According to Frankie Basso at Systemware, three catalysts to information silos exist.
Legacy systems – Sure corporations want new and better systems, but all too often they park them next to the systems they already have. They are unwilling to give up legacy systems either because it is too difficult to migrate or there is really no reason to go through the expense and effort to move to another system. The current system provides the functionality the organization needs to do the job.
Mergers and acquisitions – This can be the trickiest of all with the ramifications of organizations that suddenly find themselves with two ways – or more – to do seemingly everything. Oftentimes the best way for individuals to handle these sensitive situations is to ignore them. It works for individuals in the short term, but for organizations it’s an issue long term.
Merger or not, each department inside an organization looks for a system or systems that address their specific requirements. When content in these different systems can’t be leveraged, time is wasted on repetitious tasks.
Vendor diversity – In their understandable search for flexibility, corporations seek to diversify their vendor base. More solutions from more ECM providers creates more ways to capture, manage, store and access information. All those collaboration and information-sharing tools can end up adding layers of complexity.
With more vendors providing enterprise content management, businesses may be choosing different vendors to organize and store the documents and content about their strategies methods and tools. Organizations may be choosing vendors based on theirs products without thinking up front about the integration across multiple systems.
What creates interdepartmental information silos?
In addition, many organizations, information technology or not, suffer from interdepartmental silo mindsets. According to Brent Gleeson and Megan Rozo in a 2013 Forbes article,
The silo mindset does not appear accidentally nor is it a coincidence that most organizations struggle with interdepartmental turf wars. When we take a deeper look at the root cause of these issues, we find that often silos are the result of a conflicted leadership team.
Many executives may look at their organization and dismiss department inefficiencies and lack of cross-functional solutions with immature employees, lack of basic training, or simply the inability for some employees to play nicely with one another. Unfortunately, while these behaviors may be a result of the silo mentality; it is not the root cause. These assumptions will lead to long term harm to the organization by creating resentment and cynicism within the teams. Most employees become frustrated with their department and the organization when they have identified the problems, but can’t do anything about it. It is the responsibility of the leadership team to recognize this and rise above to create effective, long-term solutions that are scalable, executable, and realistic.
Although these two types of siloed information seem different, both stem from conflicting programming. In the case of the computer systems, that programming is in terms of code. In the case of the employees, that programming comes from management.
New technology seems exciting and shiny, just like new employees. However, anything new means replacing a pre-existing software or person. These kinds of legacies often lead to migration issues. When it comes to systems, it’s often easiest to just find a work around instead of taking on the expense of data migration. This means that when other systems in other areas are brought in, the legacies either don’t interact well or you are tied to your current vendor’s options.
The same can be said with management. People who have worked in a field for several years often find it difficult to change, thinking that “new” makes them “old” and outdated in the workforce. This inherent human fear leads to people not always being willing to share knowledge. In the same way, mergers and acquisitions only add to these rigid responses. Departments want to keep using the systems they know well, in the same way that managers want to keep using procedures they’ve always used. The sense of “if it ain’t broke don’t fix it” certainly helps to create information silos. While this may work in the short term, the lack of connection leads to long term problems.
How do information silos cost a company?
At the end of the day, the bottom line is what matters. Back in 2009, the University of Maryland’s researchers noted that poor communication in hospitals in the United States cost $12 billion a year which was approximately two percent of the nationwide hospital revenues and more than half of the average 3.6 percent hospital margin. IT and information security aren’t hospitals. Inefficient communication occurs in any industry, medical care just happens to have some numbers to support it.
Brittany Pay at eFileCabinet notes that, “silos can form when managers focus on individual departments, departments work in isolation, goals are kept on an individual department basis, or communication as a whole is not fostered and encouraged. Silos keep people from understanding what other departments and individuals are doing, effectively forcing everyone to work in a partial state of isolation.
The result of a silo in your business is a lack of productivity, poor morale on a company-wide scale, and, inevitably, poor financial performance.” When it comes to cost, the lack of communication can lead to gaps in work being completed which then requires additional time to figure out how to close those gaps. It also means that people’s expertise may be going to waste.
Similarly, systems that work in isolation and don’t connect with other systems create a disconnect in how work is done and how information is accessed. For example, if a payment system and a data storage system don’t play nicely together, it’s difficult for employees to share documentation to help support payment processing.
How do information silos specifically impact IT compliance?
IT compliance requirements often overlap across standards. Marne Gordon wrote in an article for CIO Update,
Although the goals of the multiple information security regulations may be different, there are six basic commonalities between the prevalent regulations, such as SOX, HIPAA, Payment Card Industry Data Security Standard (PCI), and ISO27001.
At first glance SOX and HIPAA do not seem to have much in common. HIPAA protects patient information, while SOX aims to reform corporate accounting practices and safeguard investors.
All of these mandates, however, require an incident response plan; a business continuity and disaster recovery plan; physical and logical controls over access to data; hiring, retention, and termination policies; and data backup and recovery procedures.
This means that when each of your departments is creating their own workflows, they are doubling, tripling, or even quadrupling the amount of time spent on the same tasks. This inefficiency costs the organization in several ways.
First, this lack of communication costs the overlap of time spent on the same task. Second, the different approaches are often reviewed separately meaning that more than one manager is reviewing the same item. Third, there is a cost associated with ensuring consistency between workgroups. Fourth, with so many people engaged in the same type of work, the person to whom questions should be directed is unclear. All of these costs impact your compliance.
How do silos impact IT audit?
The information silos impact your IT audits in all the same ways that they impact your compliance and more.
MIS TI Training Institute interviewed Michael Gallagher, managing director of CBIZ Risk and Advisory services, and shares.
“Companies are required to manage risk throughout the organization, by process and by sub-organization. The silos occur when that process isn’t coordinated across the company,” said Gallagher. “So each individual, officer, leader, department, or location decides on their own way to manage risk and their own priorities, and they may or may not be linked to anything related to the company’s strategic objectives. And that is a problem.”
According to Gallagher, there are some red flags to look for that could be indicators of an environment where risk silos are likely to occur. “Some of the signals are policies and procedures in organizations that differ greatly by location, process, leader, or executive,” he said. “Anytime you see schedules of authorization, levels of authorities, anything that is trying to determine approvals and authorizations and ways to talk about and quantify risk that aren’t tied to the company’s strategic objectives are clear indicators of silos in the organization.”
When too many people are involved in too many places, the risks are multiplied rather than mitigated. This can lead to poor audit results, which then leads to additional spending on compliance.
How do you break down information silos?
Kotter International noted in a Forbes article, that two ways to eliminate silos were to:
Bring the outside in: Make divisions share data with one another so people understand how each division is performing, what customer or external stakeholder complaints are, and where this room for improvement.
Create a “guiding coalition” that breaks down barriers: Bring together a team of people committed to changing the way the organization operates, composed of people from all levels, divisions and locations.
By bringing your organization together and finding people committed to communication, you can break down the silos to create greater efficiency. This sounds like it only takes care of the interpersonal silo; however, people create systems and update them. Paul Duvall, at IBM’s developerWorks blog, explains,
A cultural obstacle they often encounter is that traditional development and operations teams tend to work in silos, limiting the amount of inter-team communication until software release times. (And such communication is often confined to a series of tickets in an issue-tracking system.) Growing software enterprises must become more collaborative, or else they will cease to exist. The software industry is changing in this direction-much more quickly than some anticipated-as the result of cloud computing, which makes computing resources less scarce, and business demand. Companies that evolve will put those that don’t out of business.
As emphasized in the introductory article of this series, collaboration across organizational boundaries is one of the anchors of agile DevOps. This article discusses how establishing cross-functional teams and broadening the skill sets of delivery-team members are ways to increase collaboration and break down the traditional barriers that prevent software from being delivered continuously.
When developers from across an organization work together, software delivery becomes smooth and continuous. By creating agile DevOps, the organization can create systems that play better with one another.
How can GRC automation help break down silos?
GRC automation doesn’t create cleaner systems or remove employee turf wars. It does, however, create an atmosphere of integration. Spreadsheets are not the best way to approach GRC.
An automation platform, like ZenGRC, provides easy access to everyone involved in each compliance area. In the same way that DevOps needs to be collaborative so does compliance. By using an automation platform, the C-Suite sets the tone of collaboration.
Automation allows for you to see easily where there are overlaps in workflows so that you can apply the same protocols across the organization. The correct GRC automation system will allow you centralize evidence collection and assessments while also assigning roles to different members of the company.
By doing this, automation creates instant team collaboration and allows you to set up workflows that combine project management with compliance. In other words, automation is an elegant answer to creating efficiency.
Silos in information technology come in different forms. Despite the impact of system silos, you must keep in mind that people create those systems. Using automation as an elegant solution to create efficiency can add financial and moral value to your business.