Three's company: Governance, risk and compliance

Share this article:
Three's company: Governance, risk and compliance
Three's company: Governance, risk and compliance

The promise of governance, risk and compliance technology is alluring, but getting it to work effectively is a different story, reports Alan Earls.

While governance, risk and compliance (GRC) management is nothing new, assembling these three disciplines continues to be challenging – particularly as companies look to optimize their compliance efforts to become more cost-efficient. 

The growing focus on GRC as a single, unified framework grew out of the passage of the Sarbanes-Oxley Act of 2002 (SOX) and the requirement for publicly held U.S. companies to devise and implement governance controls to support the compliance mandates of SOX. Risk management, an implicit element in the SOX formulation, essentially came along for the ride, as companies recognized the possibility of addressing these topics from a holistic point of view.

But even if one is unfamiliar with GRC, the reality is that its activities are usually already occurring in one's organization, he says. Internal audit has probably been evaluating processes and controls for years, or IT security has been managing compliance to various access rules. Similarly, business continuity programs are likely reviewing impacts and risks on a regular basis. “Really, any function that assesses a risk, evaluates a control, governs according to a regulation or common framework, or evaluates performance, is addressing a GRC function,” says Patrick Potter, GRC strategist at RSA Archer Business Continuity and Audit, a Hopkinton, Mass.-based information technology as a service (ITaaS) provider.

However, implementing a GRC program can be overwhelming because it can touch every part of the organization, engaging different domains and cutting across many management perspectives. But, the good news is that the pieces do fit together and can integrate successfully, although success varies, says Renee Murphy, a senior analyst covering GRC at Forrester. 

She says enterprise-wide acceptance is becoming universal. Typically, she says, one part of the organization will get the ball rolling, whether it is finance, security or some other domain. Once the idea of risk management gets airborne, says Murphy, “the tentacles go out to the rest of the organization and it boils up to become enterprise risk management.”

She says that while implementing GRC is important, learning to leverage it is equally critical. “Many organizations seem happy to simply know what their posture is – for example, relative to risk – but that information can be used to support better decision-making,” Murphy says.

Another obstacle to widespread acceptance is developing a taxonomy that is useful across the organization. For example, risk may be defined in different ways by HR or by the IT department. Having a means to discuss these holistically is important to successful integration. 

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in Features

Transparency reports useful, but more info needed on 'digital searches'

Transparency reports useful, but more info needed on ...

Transparency reports are common these days, but the information they provide can still be difficult to read and understand.

Same battle, different field

Same battle, different field

Cyberwarfare is so new that the ground rules are still being established. Nazan Osman provides an overview.

Passwords are passé

Passwords are passé

New solutions are gaining traction to complement, or replace, the legacy use of username and password, reports Ashley Carman.