As the term itself implies, GRC covers a range of crucial topics which all deserve to be examined separately and closely. Governance is the umbrella phrase since it describes the overall concept of proper (as in "legal") behavior of persons and systems within a company. Risk Management and Compliance, on the other hand, stand for two very different approaches to making governance happen.
Compliance is about staying within the rules (laws, internal guidelines, statuatory orders, etc.) set up by parliaments, government agencies, auditors or management, while Risk Management denotes ways and means for identifying, evaluating and preparing for hazards arising from within the systems and their component parts, as well as those caused by improper use or criminal intent. Unlike Risk Management, which is a continual process, Compliance is often viewed as being tied to certain points in time such as the end of the fiscal year. If you're compliant then, many believe, you can forget about it until next year comes around.
GRC comes in all sorts of sizes and flavors. Companies need to monitor and control their business processes and keep within a complex framework of business rules, tax laws and compliance regulations. For IT, there are a growing number of special requirements covering certain areas from asset and license management all the way to security and incident management. And of course there is always the thorny issue of access control to think about. But IT compliance should also cover things like proper management of projects and services.
Where are the comprehensive GRC solutions?
In fact, true comprehensive solutions for GRC are still absent within most corporations and organizations. While Operational Risk Management (ORM) is well-anchored within at least some branches and fields, with top management keeping a close eye on a list of selected regulations, it is often sadly missing within both core business units and IT departments. Not to mention the highly desirable concept of unified "Enterpise GRC", or even overall "IT GRC".
There are a number of reasons - or should we say excuses - that are usually cited for this. One is the lack of formal organizational structures and therefore central responsibility for GRC. Who calls the shots? And who has to take the blame? Also, typical silos within IT systems along with the corresponding tightly focused IT tools often block a broader approach to GRC. And finally, many companies don't really know which rules and regulations actually apply to them or where possible conflicts of interest and responsibility may exist.
Getting priorities right and avoiding expensive mistakes
This is regrettable since good Risk Management for IT is not only desirable in itself; it also makes good business sense. Investment decisions based on Risk Management tend to be sounder and make it easier to get priorities right. They can also help to reduce the inevitable cost of faulty decisions while at the same time forming the basis for more streamlined organizational processes, among others.
Of course, you can't get GRC full performance overnight. But CIOs can start by making the combination of Enterprise GRC and IT GRC within a GRC-ready system architecture their own top priority. This can be followed up by a step-by-step implementation strategy that makes risk assessment and management a central part of overall IT policy. They ignore GCR at their peril because, increasingly, taking undue risks and failing to comply with rules and regulations are simply not an option. By looking at the big picture, CIOs stand to benefit from lower overall costs for GRC through intelligent, informed investment strategies, as well as by avoiding expensive mistakes. With luck, GRC will actually pay its own way within the company. And that is something to think about all year long, not just on New Year's Day.
Created: 30.12.09, modified: 26.01.10