Content of Figures
- Figure 1 GRC Overview
- Figure 2 Governance versus Management
- Figure 3 Comparison of Major GRC Frameworks
- Figure 4 Risk Model
- Figure 5 Risk Management
- Figure 6 Risk Assessment
- Figure 7 Risk Register
- Figure 8 GRC Process
- Figure 9 Policy and Control Definition
- Figure 10 Controls Mapped to Multiple Requirements
- Figure 11 Review of Effectiveness
- Figure 12 Define Improvement Needs
- Figure 13 Crisis and Incident Response
- Figure 14 The Future IT Paradigm by KuppingerCole – guideline for the future of Enterprise IT
- Figure 15 GRC Steering Committee
1 Executive Summary
GRC covers the areas of Governance, Risk and Compliance and this report refers to GRC in the context of delivering IT services to meet organizational ...Login Free 30-day Select Access Get full Access
This report provides recommendations for how the governance risk and compliance should be organized and implemented. The highlights of the report are: ...Login Free 30-day Select Access Get full Access
3 What is GRC?
GRC is the integrated set of capabilities that ensure the reliable execution of organizational goals.
GRC covers the areas of Governance, Risk an ...Login Free 30-day Select Access Get full Access
Governance sets the objectives and rules while management executes the processes.
Governance is the set of policies, procedures, practices and or ...
The governance process sets the business objectives and defines the policies and rules within which these services must be delivered. The management p ...Login Free 30-day Select Access Get full Access
Risk is the effect of uncertainty on objectives - ISO 31000:20151.
The word risk is in c ...Login Free 30-day Select Access Get full Access
*The range of laws and regulations and the way in which IT has become an integral component of the organization means that compliance management has b ...Login Free 30-day Select Access Get full Access
3.4 Drivers and Benefits
*The drivers and benefits of GRC include better alignment with corporate objectives, increased transparency, better risk management and more cost-effe ...Login Free 30-day Select Access Get full Access
4 GRC Frameworks
There are several frameworks for IT GRC and it is strongly advised that organizations adopt and use one of these.
Frameworks help an organization ...
Login Free 30-day Select Access Get full Access
Organizations are strongly advised to adopt a standard GRC framework. ...
5 Risk Model
A risk is crystalized when a threat exploits a vulnerability and overcomes controls to create an impact on assets.
GRC is primarily concerned wit ...
In this model there are five important elements:
- Assets – an organization’s value is made up of assets that have a value. If these assets are ...
5.1 Managing Risks
The objective of risk management is to reduce the impact and / or the likelihood of a risk.
To manage risks, it is necessary to have a common und ...
There are several standards that are relevant to managing different kinds of risks. The most general standard is ISO/IEC 31000:2015[^#]("https://www.i ...Login Free 30-day Select Access Get full Access
5.1.1 Risk Management Process
The risk management process starts with the recognition that a risk exists. It then considers the risk using scenarios (what if studies). This leads t ...Login Free 30-day Select Access Get full Access
5.1.2 Risk Register
A key component of the overall GRC architecture is a register of all the identified risks. This helps to avoid the potential for misunderstandings by ...
Ideally, there should be one risk register for the whole organization. This helps to ensure a consistent approach to the management of all risks. Howe ...Login Free 30-day Select Access Get full Access
5.2 Risk Management Frameworks
There are several risk management frameworks including ISO/IEC 27005:2011 and NIST SP 800-37. Use the one most appropriate for your organization.
6 GRC Process
GRC is a continuous process with several steps that should be repeated at regular intervals.
The major GRC processes are identifying and reviewi ...
- Requirements Review: this phase is concerned with an analysis and review of the organizational objectives in terms of risk and compliance.
- ** ...
6.1 Requirements Analysis and Review
Requirements analysis and review is the most important phase since it sets out the strategic approach for the organization.
It is essential that ...Login Free 30-day Select Access Get full Access
6.2 Policy and Control Definition
The various obligations and requirements identified need to be aligned, conflicts resolved, and redundancies removed.
Based on the requirements i ...
Ideally, the requirements will be mapped to controls which may be manual, procedural or technical. As described previously controls reduce the probabi ...
Controls also provide the way for GRC to measure how well the policies are being followed as well as to protect against the risks. As previously descr ...Login Free 30-day Select Access Get full Access
6.3 Monitor and Review Effectiveness
How well the organizational policies and controls meet the current requirements should be regularly reviewed.
Central to this process is the col ...
There are basically three kinds of sources for information on the status of control:
- Automated sources - such as IT systems, e.g. firewalls, i ...
6.4 Define Improvement Activities
Where weaknesses are identified the activities and projects that are needed to improve the current risk and compliance status should be specified.
Classical project portfolio management uses ROI (Return on Investment) and NPV (Net Present Value) to identify the projects with the best return. Howe ...Login Free 30-day Select Access Get full Access
6.5 Crisis and Incident Management
Ensuring that incidents are well managed is also a responsibility of GRC.
The plans for managing incidents must be prepared in advance and GRC h ...
The existence of an incident may be detected in various ways. It may result from a call to a help desk, automated monitoring of system activities and ...Login Free 30-day Select Access Get full Access
7 GRC Organization
*The successful implementation of effective GRC needs a strong organizational structure. It must involve all the stakeholders as well as the senior ma ...
Business Service Delivery focuses on providing exactly the services business needs, in the way business needs them, and at the time they are needed. I ...
The core work of the GRC group is steered by this committee. The GRC organization is responsible for:
- Creating and maintaining the GRC policy (and ...
8 Reporting and Visibility
There are two major kinds of reports on GRC required. The first set of reports is for use by GRC to monitor and review the status of controls and the ...Login Free 30-day Select Access Get full Access
8.1 Working Reports
These reports are intended to help the GRC group to review the performance of the organization against risk and compliance obligations. The data which ...Login Free 30-day Select Access Get full Access
8.2 Board Level Reporting
These reports should be used to communicate on the status of GRC to the organizational board of directors. Historically this has been a problematic ar ...Login Free 30-day Select Access Get full Access