IT GRC: Behind the Buzz

IT GRC-or, IT governance, risk and compliance-is rapidly gaining the attention of CIOs and CISOs in businesses across the country. After all, the objective of IT GRC is to more efficiently strike an appropriate balance between business reward and business risk, an essential equation that these executives must attain. How does IT GRC help? By replacing traditional, siloed approaches to addressing individual components with a more unified approach that takes advantage of the many commonalities and interrelationships that exist among governance, compliance and risk management.

Adopting such an approach can result in significant benefits to IT organizations. According to the 2008 annual research report by IT Policy Compliance Group, firms with the most mature, effective IT GRC practices enjoy higher revenues and profits as well as customer satisfaction and customer retention rates. They also experience dramatically lower financial losses due to data theft or loss and are much less likely to have customer data stolen or lost-all while spending less on regulatory compliance annually.

As more and more IT organizations consider the potential implications of IT GRC in their environment, it is important to understand just what IT GRC is and is not.

IT Only?

IT GRC is driven by the business. Because organizations increasingly rely on IT to support the goals of the business, more effective oversight or governance of IT is critical. At the same time, IT compliance automation has grown beyond simply meeting regulatory requirements, to managing the entire compliance lifecycle in the context of business risk.

IT GRC offers a way to tie all these components together so that regulations are translated into actionable policies, controls are in place to address regulatory and legal requirements, remediation is more easily managed, and business executives have a more complete view of risk and compliance upon which to base their decisions.

Accordingly, the IT Policy Compliance Group found that the companies with the most mature IT GRC practices, competencies, and capabilities included leadership by a range of stakeholders beyond IT, including senior management, legal, finance, and internal and external audit as well as various business unit managers. This is because IT GRC benefits the entire business by driving business performance, controlling risk, and achieving compliance efficiencies.

Product, Project or Program?

The good news and bad news with IT GRC is that it does not have a start or an end date. Just as good corporate governance, risk management, and regulatory compliance are not one-time events, IT GRC is not a project. It is not a product either which a company can simply install and forget about it. IT GRC is an ongoing effort that adapts to a fluid business environment in which business risks and regulations are constantly changing. It is a combination of processes, procedures, technologies and best practices.

Indeed, in today's dynamic and highly interconnected business environment, the complexity of ensuring compliance and strong IT governance in an organization is often made more difficult by the increasing variety of security issues that must be monitored as well as the multiple external mandates that must be addressed. To that end, IT GRC must be integrated into project and business planning methodologies. New IT initiatives must be evaluated for their potential impact on governance, risk, and compliance. Current business processes must be reevaluated to ensure that controls are in place to protect assets, meeting regulatory demands, and mitigating risk.

Technology can help. While companies will likely find it prohibitively costly and inefficient to invest in individual solutions for each compliance mandate they face, new solutions are emerging that combine IT risk assessment and compliance capabilities to facilitate an integrated approach. These solutions automate IT GRC processes such as defining appropriate policies based on regulatory mandates, to assessing IT controls, remediating deficiencies, and generating detailed reports for decision support. By utilizing technology, organizations will streamline their IT GRC processes, improve data quality, simplify reporting, and reduce costs.

Set It and Forget It?

The only way to know whether IT is meeting expectations is to measure results-not just once, but regularly. Through frequent assessments and reporting, organizations are able to better deliver business value and lower risk.

According to the IT Policy Compliance Group report, the most effective organizations participate in and evaluate their performance in a variety of practices and functions. These include strategic IT planning and business alignment; IT performance assessment and measurement; IT security, assurance and risk management; IT audit and compliance management; and IT operations and resource management. They also routinely assess and report on the status of IT governance. In fact, the average rate of measurement among the best performing companies is once every five to six weeks.

Manual Methods-Good Enough?

Unfortunately, the majority of costs associated with implementing strong IT compliance and risk management come from repeatable, time-consuming processes such as creating and distributing policies, tracking exceptions, managing standards, and performing both procedural and technical assessments. By leveraging automation where possible, organizations can accomplish these processes more efficiently and accurately time after time.

According to IT Policy Compliance Group, the most mature IT GRC firms automate ongoing monitoring and measurements, the collection of audit-related data, and procedures and controls. They also automate activities such as the ongoing assessment of compliance with policy as well as remediation and change management

Automation can help define and map policies to best practices, frameworks, and regulations and identify overlaps in control objectives to reduce duplicative control assessment efforts. Automation tools often ship with a wide range of sample policies and policy templates and can easily be customized to help address both industry regulations and internal mandates that a specific company must meet. They can also be used to distribute written policies throughout the organization, tracking end-user policy acceptances and exception requests.

Automation tools may also perform risk-based analysis and map evidence directly to control statements, which improves traceability between evidence and frameworks or regulations.

As organizations gain a better understanding of IT GRC and how it can be implemented in their organization, then take steps to begin putting IT GRC into action, they will begin to see improved business results and reduced financial risks.

Higher revenues, larger profits, and increased customer satisfaction and retention rates together with reduced downtime, data loss, and compliance-related expenditures can be achieved by leveraging the commonalities and interdependence of IT governance, risk and compliance disciplines to enjoy a more unified framework from which corporate decision-making is based.