KuppingerCole Report
Advisory Note
By Mike Small

GRC Reference Architecture

GRC covers the areas of Governance, Risk and Compliance and this report refers to GRC in the context of delivering IT services to meet organizational goals. GRC is concerned with setting objectives, policies and controls and monitoring performance against these. This report provides an architecture for the successful implementation of GRC within an organization.
By
sm@kuppingercole.com

1 Executive Summary

GRC covers the areas of Governance, Risk and Compliance and this report refers to GRC in the context of delivering IT services to meet organizational ...

Login Free 30-day Select Access Get full Access

2 Highlights

This report provides recommendations for how the governance risk and compliance should be organized and implemented. The highlights of the report are: ...

Login Free 30-day Select Access Get full Access

3 What is GRC?

GRC is the integrated set of capabilities that ensure the reliable execution of organizational goals.

GRC covers the areas of Governance, Risk an ...

Login Free 30-day Select Access Get full Access

3.1 Governance

Governance sets the objectives and rules while management executes the processes.

Governance is the set of policies, procedures, practices and or ...

The governance process sets the business objectives and defines the policies and rules within which these services must be delivered. The management p ...

Login Free 30-day Select Access Get full Access

3.2 Risk

Risk is the effect of uncertainty on objectives - ISO 31000:20151.

The word risk is in c ...

Login Free 30-day Select Access Get full Access

3.3 Compliance

*The range of laws and regulations and the way in which IT has become an integral component of the organization means that compliance management has b ...

Login Free 30-day Select Access Get full Access

3.4 Drivers and Benefits

*The drivers and benefits of GRC include better alignment with corporate objectives, increased transparency, better risk management and more cost-effe ...

Login Free 30-day Select Access Get full Access

4 GRC Frameworks

There are several frameworks for IT GRC and it is strongly advised that organizations adopt and use one of these.

Frameworks help an organization ...

Organizations are strongly advised to adopt a standard GRC framework. ...

Login Free 30-day Select Access Get full Access

5 Risk Model

A risk is crystalized when a threat exploits a vulnerability and overcomes controls to create an impact on assets.

GRC is primarily concerned wit ...

In this model there are five important elements:

  • Assets – an organization’s value is made up of assets that have a value. If these assets are ...
Login Free 30-day Select Access Get full Access

5.1 Managing Risks

The objective of risk management is to reduce the impact and / or the likelihood of a risk.

To manage risks, it is necessary to have a common und ...

There are several standards that are relevant to managing different kinds of risks. The most general standard is ISO/IEC 31000:2015[^#]("https://www.i ...

Login Free 30-day Select Access Get full Access

5.1.1 Risk Management Process

The risk management process starts with the recognition that a risk exists. It then considers the risk using scenarios (what if studies). This leads t ...

Login Free 30-day Select Access Get full Access

5.1.2 Risk Register

A key component of the overall GRC architecture is a register of all the identified risks. This helps to avoid the potential for misunderstandings by ...

Ideally, there should be one risk register for the whole organization. This helps to ensure a consistent approach to the management of all risks. Howe ...

Login Free 30-day Select Access Get full Access

5.2 Risk Management Frameworks

There are several risk management frameworks including ISO/IEC 27005:2011 and NIST SP 800-37. Use the one most appropriate for your organization.
...

Login Free 30-day Select Access Get full Access

6 GRC Process

GRC is a continuous process with several steps that should be repeated at regular intervals.

The major GRC processes are identifying and reviewi ...

  • Requirements Review: this phase is concerned with an analysis and review of the organizational objectives in terms of risk and compliance.
  • ** ...
Login Free 30-day Select Access Get full Access

6.1 Requirements Analysis and Review

Requirements analysis and review is the most important phase since it sets out the strategic approach for the organization.

It is essential that ...

Login Free 30-day Select Access Get full Access

6.2 Policy and Control Definition

The various obligations and requirements identified need to be aligned, conflicts resolved, and redundancies removed.

Based on the requirements i ...

Ideally, the requirements will be mapped to controls which may be manual, procedural or technical. As described previously controls reduce the probabi ...

Controls also provide the way for GRC to measure how well the policies are being followed as well as to protect against the risks. As previously descr ...

Login Free 30-day Select Access Get full Access

6.3 Monitor and Review Effectiveness

How well the organizational policies and controls meet the current requirements should be regularly reviewed.

Central to this process is the col ...

There are basically three kinds of sources for information on the status of control:

  • Automated sources - such as IT systems, e.g. firewalls, i ...
Login Free 30-day Select Access Get full Access

6.4 Define Improvement Activities

Where weaknesses are identified the activities and projects that are needed to improve the current risk and compliance status should be specified.
...

Classical project portfolio management uses ROI (Return on Investment) and NPV (Net Present Value) to identify the projects with the best return. Howe ...

Login Free 30-day Select Access Get full Access

6.5 Crisis and Incident Management

Ensuring that incidents are well managed is also a responsibility of GRC.

The plans for managing incidents must be prepared in advance and GRC h ...

The existence of an incident may be detected in various ways. It may result from a call to a help desk, automated monitoring of system activities and ...

Login Free 30-day Select Access Get full Access

7 GRC Organization

*The successful implementation of effective GRC needs a strong organizational structure. It must involve all the stakeholders as well as the senior ma ...

Business Service Delivery focuses on providing exactly the services business needs, in the way business needs them, and at the time they are needed. I ...

The core work of the GRC group is steered by this committee. The GRC organization is responsible for:

  • Creating and maintaining the GRC policy (and ...
Login Free 30-day Select Access Get full Access

8 Reporting and Visibility

There are two major kinds of reports on GRC required. The first set of reports is for use by GRC to monitor and review the status of controls and the ...

Login Free 30-day Select Access Get full Access

8.1 Working Reports

These reports are intended to help the GRC group to review the performance of the organization against risk and compliance obligations. The data which ...

Login Free 30-day Select Access Get full Access

8.2 Board Level Reporting

These reports should be used to communicate on the status of GRC to the organizational board of directors. Historically this has been a problematic ar ...

Login Free 30-day Select Access Get full Access

9 Recommendations

*The drivers and benefits of GRC include better alignment with corporate objectives, increased transparency, better risk management and more cost-effe ...

Login Free 30-day Select Access Get full Access

Copyright

©2019 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts, founded in 2004, is a global analyst company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies.

For further information, please contact clients@kuppingercole.com.

top