Risk Management unplugged!

26th March 2009
Risk Management unplugged!

These are tough times for the Indian Information Technology-enabled services outsourcing industry. The days of basking in the assured business from three fourth of the world's outsourcers, are gone with the recessionary wind. With the entire tech sector under pressure, corporate clients look to squeeze margins every which way they can -- and only the technologically fittest service providers survive.

Even elements of one's offering, that were considered, mundane and decidedly unsexy, like inhouse corporate governance and regulatory compliance, have suddenly begun to loom large on the horizon, with the potential to separate the men from the boys; the winners from the also-rans.

Which is why many outsourcing services players in India -- and quite a few domestic leaders in the financial and commercial space -- are increasingly turning to companies who promise to thoroughly audit -- then automate -- the processes that ensure the processes that ensure IT governance and compliance.

One of the leaders in this space, Symantec, has set out in a formal way, the roadmap that companies need to follow to ensure that they have the checks and measures in place:
- to ensure that when it comes to the processes and technologies needed to align IT with the business;
- to assure their offshore clients that they follow internationally accepted norms of governance
- and to comply with all the statutory requirements of the client's own operation.

"The cost and complexity of IT governance, risk and compliance (GRC) can be significantly reduced through a process of automated assessment of policies and procedures against industry benchmarks and best practices", says Vishal Dhupar, Managing Director, Symantec India, "One has to continuously monitor one's processes using dynamic dashboards".

He suggests a three-stage game plan to make this happen:

FIRST define the regulatory framework that applies: SOX, FISMA, BASEL II or whatever the client's operating environment dictates; as well as the global and national standards that need to be applied: ISO 17799; NIST, NSA and the internal policies that are currently practised

SECOND , control and monitor, corporate policies while placing tight controls on key holdings: Operating systems, data bases, directories, applications

FINALLY govern -- demonstrating due care and optimising the overall risk management system.

The company offers a Control Compliance Suite ( currently into version 9.0) which covers the IT compliance cycle end to end and supports risk assessment for quick identification and remedial action.

Dhupar agrees this cannot be a one-size-fits-all solution and needs to be customised and tweaked for each enterprise. he points to the successful implementation of a unified compliance and corporate governance solution for HDFC bank, which addressed 6 critical areas including data loss prevention, incident management and storage management, as a good example.

If you thought of Symantec, only as the "Norton wallahs", the guys who took on viruses and promised Internet security, you may have to think again. The company has shrewdly reworked its offerings, harnessed the strength it drew from acquisitions like the storage management company, Veritas and the data loss prevention player, Vontu and come up with a Godfather-like ' offer you can't refuse' to Indian IT players, particularly those who need to deal with global clients, an offer that says, "Let us help you manage your risks".

You can download a copy of the Symantec White paper, Integrated IT Risk Management here:

( compiled by Anand Parthasarathy, from Symantec collateral and after a briefing by Vishal Dhupar, Managing Director, Symantec India)