Governance, Risk and Compliance is by far the main driver of IAM

(KPMG and Everett, 2009, p. 3)

Governance, Risk and Compliance (GRC) – Being ‘in control’ and able to prove it;

(KPMG and Everett, 2009, p. 7)

The Risk and Compliance Business Case

This type of business case has been the driver behind the successful initiation of many IAM programs in the last several years. The financial services and healthcare industries in particular have been subject to increased regulatory requirements to more closely manage and control user access and provide more granular control to segregate the duties of users. The case for change often starts with an external auditor or regulatory body issuing a management letter of findings or a Matter Requiring Attention (MRA) to executive leadership or the board of directors. Often the threat of sanctions or fines is a strong motivator for the businesses to address these issues. At some point either the board or an executive leadership committee issues a mandate to comply. When that happens, the business case is pretty much made. All that is left is to articulate how the IAM program will mitigate the risk or comply with the regulatory issues identified.

(Osmanoglu, 2013, p. 5)

3.3.1 Why Do Organisations Introduce EIdM?

EIdM projects are no ends in themselves, as they are introduced to obtain a specific goal. Amongst a variety of driving factors and reasons for introducing EIdM into an organisation,¹⁷⁹ the following primary and secondary reasons taken from the interviews seem to be the most prevalent reasons being named by the experts¹⁸⁰:

• Primary goals:

◦ Compliance goals (constraint for organisations)

◦ Business-related goals (e.g., efficiency, automation of processes, general cost reduction, accounting for IT costs)

• Secondary goals:

◦ Risk management/IT security goals

◦ Enabler for new business opportunities

The presented primary and secondary goals are not mutually exclusive.¹⁸¹ Overlaps and synergies can for example occur in cases where organisations seek to comply with relevant laws by introducing a EIdMS. In the course of the introduction and the proceeding re-organisation of the organisational IT and related processes, better efficiency can be gained due to clean-ups and streamlining of process once being fragmented. Also other overlaps in goals can be achieved; however, these depend on the individual setting being analysed.

(Royer, 2013, p.46-47)

The key business drivers that make identity management important are financial discipline, operational risk and compliance with legal and regulatory requirements.

(Small, 2004, p. 7)

Operational risk covers aspects such as processes being vulnerable to theft, fraud, disruption or mismanagement. Better management of the way in which employees, partners and customers are identified and their access is controlled and audited can mitigate some of these operational risks.

(Small, 2004, p. 8)