Generating Returns from IT Governance, Risk Management and Compliance (GRC)

Oct 31, 2011 12:00:00 AM | Generating Returns from IT Governance, Risk Management and Compliance (GRC)

IT Governance, Risk Management and Compliance Enables Competitive Differentiation, Cost Reduction and Growth.

IT Governance, Risk Management and Compliance Enables Competitive Differentiation, Cost Reduction and Growth.

By Nancy Nafziger

No one can deny that IT departments are under constant change. This is a huge challenge considering that IT departments are consistently under pressure to deliver greater number of services faster, with more approvals, more complex processes, budget cuts, and to top it off, greater regulatory requirements.

How does IT keep up with the demands of increased operational efficiency and governance, risk management and compliance mandates at the same time?

Wikepedia defines, Governance, Risk Management, and Compliance or GRCas the umbrella term covering an organization’s approach across these three areas. Being closely related concerns, governance, risk management and compliance activities are increasingly being integrated and aligned to some extent in order to avoid conflicts, wasteful overlaps and gaps.

Wikepedia’s Diagram: GRC Frame of Reference

IT governance, IT risk management and IT compliance are three well-defined disciplines that, in the past, existed in silos within large organizations.

Michael Rasmussen at Corporate Integrity, LLC defines GRC as follows:

  • Governance is the culture, policies, processes, laws, and institutions that define the structure by which companies are directed and managed.
  • Risk Management is the coordinated activities to direct and control an organization to realize opportunities while managing negative events.
  • Compliance is the act of adhering to, and demonstrating adherence to, external laws and regulations as well as corporate policies and procedures.

Rasmussen continues, “GRC is an approach to business. It is about individual GRC roles across the organization working in harmony to provide a complete view of governance, risk, and compliance. It is about collaboration and sharing of information, assessments, metrics, risks, investigations, policies, training, and losses across these business roles and processes.”

A successful integrated GRC strategy uses a single set of control material, mapped to all of the primary governance factors being monitored.

What are the three most common individual GRC roles?

  • Financial GRC. Relates to the activities that ensure the correct operation of all financial processes, as well as compliance with any finance-related mandates.
  • IT GRC. Relates to the activities that ensure the IT (Information Technology) department supports the current and future needs of the business, and complies with all IT-related mandates.
  • Legal GRC. Relates to tying all three roles together via a legal department and Chief Compliance Officer.

What exactly is IT GRC?

  • Using IT to manage the various Governance, Risk Management and Compliance Management processes of an organization.
  • Ensuring proper governance, risk management and compliance management of all IT systems and processes that support the business operations.

Implementing a unified IT GRC approach, and managing the associated processes coherently will create operational efficiencies, provide visibility into IT processes and ensure accountability. IT plays a significant role in integrating GRC process.

Okay, so how does IT keep up with the demands of increased operational efficiency, governance, risk and compliance mandates and reduce costs—all at the same time?

Daniel Magid outlines the Top Six Cost-Cutting Strategies for IT Compliance:

  1. Encapsulate compliance processes into an automated system
  2. Create structured, controlled software development processes
  3. Apply Best Practice Methodologies
  4. Collaborate, Collaborate, Collaborate
  5. Develop Specific Compliance Reports/Templates
  6. Bring on New Technology

In my opinion, encapsulating compliance processes into an automated system and bringing on new technology are most important.

Magid continues, a strong software compliance solution should: 

  •  Establish repeatable, automated compliance and change processes.
  • Link change lifecycle workflow to Best Practice Methodologies .
  •  Include Compliance-related report templates supporting standards.
  • Create centralized management and visibility of IT assets, and progress reporting for auditing and performance improvement.
  • Provide a collaborative communication infrastructure that ensures IT services and software initiatives support overall business goals.
  • Reduce IT costs by ensuring project teams build the application correctly the first time around.
  • Enable communication between stakeholders of all changes in projects, and ensure appropriate notification, reviews and approvals.
  • Provide a secure, visible repository of all application artifacts.

If you are looking for a way to manage your IT GRC processes now is the time to implement a request management system and an advance workflow engine such as Kinetic Request and Kinetic Task. With this powerful system you can automate your IT GRC processes such as: 

  • Audit and Risk Processes. Includes the processes necessary for establishing internal audit and risk teams, conducting internal audits, and audit reporting.
  • Configuration Processes. Includes all the processes required for hardware and software configuration.
  • Human Resources Processes. Today’s IT organization mandates a detailed description of the IT organizational structure and additional hiring practices such as security requirements. This HR process starts with the hiring process and moves through training, job descriptions, job performance, and the end of a staff”s job cycle (job transfer to another department, promotion, or leaving the organization).
  • Operational Processes. Includes everything from roles and responsibilities though help desk processes, managing IT configurations, capacity management, allocating costs, accountability, and all other processes that keep an IT organization on track.
  • Acquisition Processes. Includes the processes necessary for planning and the documentation crucial for acquiring new software and hardware.

Kinetic Request and Kinetic Task enable you to reduce costs, streamline your IT GRC processes, improve IT efficiency and gain full control of complex GRC approvals and tasks.


Tom Pick

Written By: Tom Pick