Sopra Steria takes new approach to Governance, Risk and Compliance

by Florian Delabie - Information Security Consultant
| minute read

In a bold move away from the traditional reactive and ad hoc approach to Governance, Risk and Compliance (GRC), Sopra Steria Benelux aims to create more value for its customers by making them ‘compliant by design’. This will allow our branch to move up the value chain, extending our portfolio of operational services with a more tactical and even strategic GRC offering.

Within the current complex and constantly evolving business climate, there is definitely a need for such a strategic GRC offering. Not only is cybercrime, along with information itself, growing at an alarmingly exponential rate, but on top of that our customers are experiencing increasing legislative pressure, especially with regard to data management.

There is in fact more and more constraining legislation related to data protection these days. To the extent that most organisations simply won’t be able to continue to deal with that amount of pressure on a purely reactive, ad hoc basis. A new, proactive and deliberately systematic approach is clearly in order. And at Sopra Steria we feel we have exactly what it takes to provide that new GRC approach to our customers.

‘Compliance checklist’ approach

A new approach to GRC requires first and foremost a new vision. Ours is built on four important building blocks, as shown in the illustration below: data, information, security and regulation. Most organisations and many of our competitors traditionally tend to focus on the outer layers of that vision circle: security and regulation - the tip of the iceberg, so to speak. They work with compliance checklists, translating often complex regulations into simple to do lists for their customers to check off. Sometimes they add a couple of security checks into the mix, but more often than not their GRC efforts end there already. 

We on the other hand prefer to turn that traditional GRC approach around, taking the business operation of our clients as our main starting point and paying particular attention to the data and information supporting that business operation. By carefully managing and controlling our clients’ data and information, we help them become resilient to future new regulations - to a certain extent, anyway. The idea being that, if a new regulation emerges tomorrow, they will have proactively adapted to it already. And therefore they will be able to comply more easily and more quickly.

Turning a burden into an opportunity

By taking on this new GRC approach and making our customers’ data in a sense legislation- and regulation-proof, we are able to create more value for our customers. Complying to GDPR, to give but one example, then becomes an opportunity instead of an (extra) burden, which admittedly was the way most companies tended to feel about that regulation. It was something extra they had to add to their existing processes. Whereas complying to GDPR really is a case of common sense and putting in place some basic data management rules – which is part of our core business anyway. Once you’ve done that, every new process or project you take on will be compliant by design, without your having to add extra procedural layers for it.

So in the end, compliance by design is basically about implementing good practices and raising practical awareness. That way you can stop and avoid doing one shot projects to achieve compliance. That approach leads to little or nothing substantial and is merely a waste of time, money and effort. Because every time a new law comes out, you are obliged to start all over again. So why not get immediately at the root of the problem?

Read more about GRC as part of our cybersecurity offer. It is one of our four key areas of expertise in that leg of our services portfolio