GRC (Governance, Risk Management, Compliance) has become a leading issue not only for IT professionals, but for senior management as well. However, it isn’t always clear who’s in charge. Responsibility for GRC is set to become a major issue in the coming months..
So whose job is GRC, anyway? Unfortunately, there is no clear-cut answer. Most intuitive solutions prove at closer glance to be just too simple. It can't be the CFO, because that would mean that he would be in charge of policing his own bailiwick. The CIO can't do it, either, unless we're talking about controlling the IT services that his department provides to the business units. The controlling department's duties are usually too limited. Other obvious candidates may include the CCO (Chief Compliance Officer) or the CRO (Chief Risk Officer), but both probably lack clearly defined functions.
This is why most companies approach GRC as an isolated solution. In the world of »Enterprise GRC« (that should be more aptly named »Business GRC«), it's all about business controls and how IT can support them. In practice, this means substituting spreadsheets for less manual, more highly automated controls.
Continuous Controls Monitoring calls for automated supervision of IT systems, typically with a focus on business processes. Unfortunately, these solutions seldom deliver what they promise. And so-called Process and Risk Control solutions which focus on the IT systems fall somewhere between Enterprise GRC and more technical solutions.
Of course, there are loads of very specific »GRCs« offerings out there, including solutions involving attestation and recertification of access rights, which we should best call »IAM-GRC« (Identity und Access Management-related GRC), as well as a smattering of SIEM solutions (Security Incident and Event Management), a few odd BSM solutions (Business Service Management) and lots more. Mostly, they address a narrow range of controls in great detail and with a high degree of automation.
With no clear lines of responsibility for GRC or clean separation of duties, many companies suffer from "GRC anarchy", with multiple , often self-defeating and costly projects being put in place by different departments. It doesn't help that vendors have been much too slow in achieving full integration between different systems and various levels of implementation. This, however, is essential if companies are ever to achieve seamless control of business and IT, along with the necessary automation and granularity, over their entire organization.
Getting there will call for strong leadership by the CIO. He's the one with the broadest overview, and only he can provide the necessary level of detail in creating IT-based controls for the entire firm. However, this also means that the CIO must be able to anticipate the needs of the business units as well as the demands of management for a comprehensive solution offering a clear overview of corporate GRC. The better the CIO does his job of convincing all concerned that the road to real GRC leads through integrated solutions, the sooner the company will achieve its goal of clear business-IT alignment.