GRC (Governance, Risk Management, Compliance) is presently a core topic for every mid-sized and large organization. The number of regulations is growing. Auditors are focusing on Corporate Governance and IT Governance, are asking for risk managements and are looking on access controls and other specific IT aspects.
Thus it is no surprise that we observe an ever growing number of vendors with offerings to support GRC initiatives. But there is still a lot of discussion around GRC. Besides the feat of implementing GRC solutions in a consistent manner across the enterprise, covering business as well as IT, there are several people stating that GRC today is mainly about dealing with FUD - fear, uncertainty, doubt. In Kuppinger Cole's view however, if the potential of GRC is realised and implemented appropriately, it has far greater capacity than just dealing with this issue.
GRC Defined
GRC consists of three parts. Governance is the high-level aspect, which is about doing things right, e.g. managing a company in an appropriate way. IT Governance is a part of it, with focus on the IT department. Compliance and Risk Management are the major initiatives within Governance. Compliance is about fulfilling regulations. It is more a checklist approach, ensuring that at some point in time everything required by specific regulations is fulfilled. Risk Management, on the other hand, is an ongoing initiative, which focuses on defining, measuring, and handling risks.
Compliance as well as Risk Management affect IT, but aren't limited to IT. Thus, GRC initiatives always will require business and IT to work together. Many of the threats companies are facing in GRC can't be solved - or at least can't be solved efficiently - without IT and specific tools. These tools might control, measure, analyze, and report on aspects of specific regulations as well as support the risk management initiatives.
But even while business and IT have to work together, there are at least two layers in GRC. One is what we call Enterprise GRC, the other is IT GRC. Enterprise GRC focuses on the high-level enterprise initiatives especially around compliance reporting and risk management, covering as well operational risks as aggregated information about IT risks.
IT GRC, on the other hand, is focused on the specific aspects of IT Governance and IT risk management, including access control aspects, information security, and availability aspects.
There is No Single GRC Solution
IT GRC again, is multi-faceted by nature. There are many solutions for different purposes out there. Experts for specific regulations are claiming to provide the required tools as well as GRC platform vendors, providing more generic GRC solutions. Vendors from segments like Identity and Access Management (IAM), Enterprise Content Management (ECM), Business Service Management (BSM) areas claim as well that they provide the key to solve all the GRC problems. And many other tools are offered specifically for selected ERP tools, providing GRC controls and the support for segregation of duties in these environments.
But there is no single solution which covers all requirements. Thus, a GRC strategy has to focus on selected tools at least for different infrastructure segments like IAM and BSM and on their integration with a centralized Enterprise GRC approach.
Most of today's specific, generic (e.g. supporting not only one specific regulation) GRC tools are focusing on the management of authorizations or entitlements, e.g. who is allowed to do what in which system and with which information.
Tools in this segment support at least five core features, even though there is no vendor which can fully support all features in a single product today. These core features are:
- Business Role and Rule Management: Roles and rules are the basis for enforcing and analyzing SoDs (Segregation of Duties) as well as managing attestation, risk management, and authorization management.
- Auditing and Analysis: Detailed and aggregated, dashboard-type analysis functionality to support questions like the "who had access to what when"-type.
- Attestation: Support for review of authorizations.
- Risk Management: Definition, measurement, and management of risks.
- Authorization Management: Enforcing authorizations down to the system level, based on business roles, rules and other constraints.
Kuppinger Cole expect to observe a strong trend towards more complete offerings by many vendors, supporting a broad range of platforms and not being limited for example to SAP or Oracle applications. In addition we expect a tighter integration of these IT GRC platforms with underlying systems like Identity Provisioning and Enterprise GRC solutions.
The Business Value in GRC Initiatives
Given this understanding of the GRC market, there is still the question about the business value GRC solutions can provide. Certainly GRC solutions might help in avoiding problems including legal issues. But that, in fact, is the FUD part of it. And something which is just bought because it has to be done isn't what companies are looking for.
But there are two areas with a huge potential for business value. One is risk management, the other is authorization or entitlement management, whichever term is preferred. Both can support organizations in becoming more efficient and agile.
Risk Management as an Opportunity
Risk management is not only about avoiding risks. The first step is to identify potential risks and define the thresholds for these. There has to be a continuous monitoring of the risk status. And there have to be defined actions in the case of detected risks, either automated or manual.
Even during the implementation phase there is much potential for business value. Identifying risks and measuring the current status inherently leads to a reflection of current business processes and will, in virtually every organization, highlight potential improvements. Incidentally, defining and measuring Key Risk Indicators (KRIs) should be done before the implementation of tools. Many analysts, integrators, software vendors and consultants provide pre-defined KRIs which can serve as a baseline for risk management projects. This baseline can then be compared with the status after completion of the project and thus prove the (hopefully positive) results of the initiative.
Continuously identifying and measuring risks supports a focused management. Directors can then turn their attention to the really critical situations that arise. This "management by risks" provides obvious value.
Authorization Management - Providing Speed and Flexibility
The second area that can provide additional business value is authorization management. Whilst attestation, auditing and analysis are reactive, authorization management is the active part. Risk management can be proactive, as described, because the problems often can be identified before they actually happen or at least before they lead to expensive consequences.
Authorization management defines access controls, based on business roles, rules, and other constraints. In fact it is a high-level definition of who is allowed to access which IT resources. These definitions are then enforced by lower-level systems like provisioning tools, the new type of network entitlement/authorization management solutions and the upcoming support of fine-grain authorization management tools for the target systems. Undoubtedly there will be some requirement of managing certain aspects of access control on lower layers in the IT infrastructure. But authorization management can and does cover the core systems as well as critical data.
This reduces not only the amount of administrative work which has to be spent at the provisioning layer and at target systems. Authorization Management provides, besides consistency and the ability to reconcile access controls, more speed and flexibility for organizations. Changes in the organization are automatically reflected in the entitlements. New business processes can be described easily at the high level of authorization management, using this information to control the lower-level systems. Thus, the agility of organizations and the IT/Business alignment will benefit.
The key to successful GRC is, in Kuppinger Cole's opinion, a consistent approach for Enterprise GRC and IT GRC, a focus on generic tools instead of point solutions, an integration of IT GRC across silos like IAM, ECM, and BSM - and a focus on business value and Business/IT alignment with a higher degree of automation. That is no easy project - but it can be done step by step. Using KRIs there is the opportunity to prove the business value at every stage of such an initiative. Thus, GRC done right goes well beyond dealing with FUD.