Today I read a press release from Novell where they claim that most enterprise don't realize the value of Compliance. For sure, if you think about Compliance, then most of us first think about the pain of being compliant. More reports, more rules, new applications,... And, honestly, Compliance is first of all something reactive, avoiding penalties.

But there are as well some clear advantages, like we've mentioned several times. This is especially true if you look on it from a general "Governance, Risk Management, Compliance"-perspective. There are, especially in the risk management area, clearly visible opportunities for enterprises. Detecting, managing and thus reducing or avoiding risks brings value.

The other important aspect is that the process maturity of corporations increases when they start to implement enterprise-wide GRC approaches (even while today mainly the even process-mature corporations are implementing these solutions). Defined processes and integrated data about what happens in the enterprise are drivers for optimization. GRC done right and in the context of business process optimization is a key instrument for the management.

IT has to provide the technology to implement a consistent, automated GRC approach. "Manual" Compliance way to expensive. It requires tool support. But with this approach, where IAM plays a central role, IAM will change - it will become a part of a bigger thing, integrating GRC (and, in this context, Business Role Management) and what I name "Enterprise Information Management" (look here and here).

I definitely agree with Novell on their point that there is business value in Compliance. But I'd like to add: The real value is only visible from an enterprise perspective. From an IT perspective, Governance/Compliance automation is cheaper than manual work - but first you have to invest into IT. Thus, if IT likes to argue with Compliance to gain budgets for their infrastructure improvement they have to argue from a management perspective and an IT perspective and must not remain in their IT-only view of the world.