Governance, risk management and compliance (GRC) planning is still a new concept, but already it has gotten a bit of a bad rap. Mainly, it's been called too vague and, now, frequently gets overused by vendors hocking their wares – whether these solutions directly are related to GRC or not.
One could talk to five different people and end up with five unique definitions of GRC, says Craig Shumard, CISO of the health benefits company CIGNA. There simply are so many different understandings of the acronym, he adds.
“I think it's way too broad. Sometimes having a broad definition dilutes things a little bit,” he explains. “Yes, everyone can fit under the tent, but I am not sure how productive the conversation is.”
Due to such a broad interpretation of GRC among industry players, the question of what it actually is and where businesses should start with it has been on the minds of researchers over the past few years.
“One of the things that puzzled us was defining it,” says Scott Crawford, research director at research firm Enterprise Management Associates (EMA).
Through some of his recent research, he's discovered that real-world practitioners accurately think that GRC planning focuses on people and processes, as well as “turning processes into strategic assets.” To some, this means that GRC is all about maturity and cultural change inside an organization. And such an evolution in thinking begins when the IT security pros begin working in concert with the organization's compliance pros, says Paul Proctor, research vice president of security and risk at Gartner.
What it's not
“It's about collaboration and communication – getting parts of an organization to share information and processes to drive efficiency,” says Michael Rasmussen, president of the GRC strategy advisory firm Corporate Integrity, and the man who has been called the founder of what he calls “this whole GRC mess.”
But, it may be easier to define what GRC is not. GRC is not just about technology or one person owning it, says Rasmussen. There are no corporate borders for such a cohesive approach. And whether one likes the acronym or not, GRC planning – done right – can address IT governance, along with the needs to control risks and assure compliance, adds Crawford.
While consensus is needed around the definition of GRC, CIGNA, for its part, already is experiencing the benefits of this holistic method. Having evolved over the last couple of years, CIGNA's GRC plan is driven by the need to meet customer expectations of privacy, as well as state and federal mandates, Shumard says.
It involves all aspects of the business, but has four prominent individuals leading the effort to provide attention and visibility to the plan, in addition to ensuring that others are aware of the related issues and what needs to be done, Schumard says. Heading up the initiative is Schumard, of course, who oversees information protection for the organization, along with the vice president of enterprise risk management, the chief privacy officer and the chief compliance officer.
Their GRC plan has afforded CIGNA a number of benefits on the information security end, including greater access control and the ability to more proactively spot anomalies and issues. From an enterprise-risk standpoint, the company has shifted to a more bottoms-up reporting of risk. Too, on the policy and governance side, it is able to modify or adjust policies much more quickly, Schumard says.
There are ancillary benefits, also. For example, an integrated GRC program can positively impact a company's credit rating or save money when compliance mandates are met – thereby avoiding associated fines. Also, it allows the IT organization to focus on innovation, instead of having time taken up with managing multiple, siloed compliance efforts, says Mark Lobel, a principal, advisory services, PricewaterhouseCoopers. In short, an effective GRC effort will increase an organization's sustainability, consistency, efficiency, transparency and accountability, Rasmussen adds.
Budgeting for GRC efforts can be a challenge though, especially in light of the financial crisis. A GRC program is not something that typically is budgeted for. Instead, organizations allocate funding for the creation of governance committees, IT risk management programs (with an IT risk officer at the top), the creation of a formalized IT security program, or the implementation of good risk assessment, Proctor says.
Yet there are drivers that can propel GRC planning forward, say experts. Often, such an effort is driven by the need to achieve compliance, better understand risk relationships across the various aspects of the business, and increase efficiency.
On the governance side, a GRC effort should address how decisions are made relative to risk and compliance issues. Also, ensuring decisions are made by the right individuals is important because people are going to make different decisions depending on where they are in the organization.
The risk piece is critical, Lobel says, as it focuses on identifying the risks and opportunities that exist across the organization. And, in terms of compliance, what sets a GRC effort apart is that organizations will manage compliance across issues, rather than just within issues, Rasmussen explains.
EMA conducted a survey in 2008 to find out how enterprises are succeeding in IT GRC management in the real world. Respondents were asked to describe their characteristics in the areas of organization attributes – how critical IT governance, risk and compliance management are to the business and how critical IT is to key business operations. EMA found 23 percent of respondents to be “high performers” in terms of IT management effectiveness, with 51 percent classified as medium performers and 26 percent classified as low performers.
“For high performers, the criticality of IT as a strategic asset correlated to the criticality of IT GRC effectiveness,” EMA's research summary states. “This, in turn, led to greater support among senior management for assuring accountability for adherence to defined objectives.”
EMA's Crawford adds that some businesses are becoming more aware of the benefits of folding their governance, risk management and compliance needs into a common discussion. Over the past year, he has noticed that more enterprises are asking him about how to overlap these areas. Going forward, he believes enterprises will be faced with more compliance needs as a result of the economic crisis, so this may drive organizations to undertake a GRC effort.
There has been some growth in the number of companies undertaking GRC efforts, says Rasmussen, especially among global companies and large enterprises. This is because there is a need for better transparency for larger companies that often get hit with their share of IT security surprises throughout the year.
Indeed, the GRC concept is being put to use, but the guiding principles of such planning are currently not as widely adopted as they could be, contends Lobel.
“I don't think a lot of organizations have mastered the integration of GRC into a single discipline,” says John Linkous, IT governance, risk and compliance evangelist at eIQnetworks, a GRC vendor.
Financial services companies, for instance, are ahead in terms of implementing GRC planning, mostly because they are “audited and monitored like hawks.” But those organizations that are opting to skip cohesive GRC planning are instead leaving it up to the individual business units to handle the issues a holistic approach can address. As a result, these organizations are missing tremendous benefits, Lobel says.
“You can step back and say, ‘We can do these things more efficiently and effectively and at a lower cost,'” Lobel says.