Three's company: Governance, risk and compliance

Share this article:
Three's company: Governance, risk and compliance
Three's company: Governance, risk and compliance

The promise of governance, risk and compliance technology is alluring, but getting it to work effectively is a different story, reports Alan Earls.

While governance, risk and compliance (GRC) management is nothing new, assembling these three disciplines continues to be challenging – particularly as companies look to optimize their compliance efforts to become more cost-efficient. 

The growing focus on GRC as a single, unified framework grew out of the passage of the Sarbanes-Oxley Act of 2002 (SOX) and the requirement for publicly held U.S. companies to devise and implement governance controls to support the compliance mandates of SOX. Risk management, an implicit element in the SOX formulation, essentially came along for the ride, as companies recognized the possibility of addressing these topics from a holistic point of view.

But even if one is unfamiliar with GRC, the reality is that its activities are usually already occurring in one's organization, he says. Internal audit has probably been evaluating processes and controls for years, or IT security has been managing compliance to various access rules. Similarly, business continuity programs are likely reviewing impacts and risks on a regular basis. “Really, any function that assesses a risk, evaluates a control, governs according to a regulation or common framework, or evaluates performance, is addressing a GRC function,” says Patrick Potter, GRC strategist at RSA Archer Business Continuity and Audit, a Hopkinton, Mass.-based information technology as a service (ITaaS) provider.

However, implementing a GRC program can be overwhelming because it can touch every part of the organization, engaging different domains and cutting across many management perspectives. But, the good news is that the pieces do fit together and can integrate successfully, although success varies, says Renee Murphy, a senior analyst covering GRC at Forrester. 

She says enterprise-wide acceptance is becoming universal. Typically, she says, one part of the organization will get the ball rolling, whether it is finance, security or some other domain. Once the idea of risk management gets airborne, says Murphy, “the tentacles go out to the rest of the organization and it boils up to become enterprise risk management.”

She says that while implementing GRC is important, learning to leverage it is equally critical. “Many organizations seem happy to simply know what their posture is – for example, relative to risk – but that information can be used to support better decision-making,” Murphy says.

Another obstacle to widespread acceptance is developing a taxonomy that is useful across the organization. For example, risk may be defined in different ways by HR or by the IT department. Having a means to discuss these holistically is important to successful integration. 

Page 1 of 2
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Features

Game theory: Cyber preparedness

Game theory: Cyber preparedness

Business leaders are beginning to fathom the importance of cyber war game simulation exercises, reports James Hale.

Forward progress: How the Denver Broncos really play defense

Forward progress: How the Denver Broncos really play ...

Off the field, demand for bandwidth and protection from network threats set the ball in motion for the Denver Broncos. Greg Masters reports.

Smart defense: A talk with industry veteran Gene Fredriksen

Smart defense: A talk with industry veteran Gene ...

Today's CISO must stay ahead of attackers, says Gene Fredriksen, CISO at PSCU. Teri Robinson talks one on one with the industry veteran.