GRC Reference Architecture
Content of Figures
- Figure 1 GRC Overview
- Figure 2 Governance versus Management
- Figure 3 Comparison of Major GRC Frameworks
- Figure 4 Risk Model
- Figure 5 Risk Management
- Figure 6 Risk Assessment
- Figure 7 Risk Register
- Figure 8 GRC Process
- Figure 9 Policy and Control Definition
- Figure 10 Controls Mapped to Multiple Requirements
- Figure 11 Review of Effectiveness
- Figure 12 Define Improvement Needs
- Figure 13 Crisis and Incident Response
- Figure 14 The Future IT Paradigm by KuppingerCole – guideline for the future of Enterprise IT
- Figure 15 GRC Steering Committee
1 Executive Summary
GRC covers the areas of Governance, Risk and Compliance and this report refers to GRC in the context of delivering IT services to meet organizational ...
Login Free 30-day Select Access Get full Access2 Highlights
This report provides recommendations for how the governance risk and compliance should be organized and implemented. The highlights of the report are: ...
Login Free 30-day Select Access Get full Access3 What is GRC?
GRC is the integrated set of capabilities that ensure the reliable execution of organizational goals.
GRC covers the areas of Governance, Risk and C ...
Login Free 30-day Select Access Get full Access3.1 Governance
Governance sets the objectives and rules while management executes the processes.
Governance is the set of policies, procedures, practices and organ ...
The governance process sets the business objectives and defines the policies and rules within which these services must be delivered. The management p ...
Login Free 30-day Select Access Get full Access3.2 Risk
Risk is the effect of uncertainty on objectives - ISO 31000:20153.
The word risk is in common use and means different things to different people. ...
Login Free 30-day Select Access Get full Access3.3 Compliance
The range of laws and regulations and the way in which IT has become an integral component of the organization means that compliance management has be ...
Login Free 30-day Select Access Get full Access3.4 Drivers and Benefits
The drivers and benefits of GRC include better alignment with corporate objectives, increased transparency, better risk management and more cost-effec ...
Login Free 30-day Select Access Get full Access4 GRC Frameworks
There are several frameworks for IT GRC and it is strongly advised that organizations adopt and use one of these.
Frameworks help an organization to ...
Login Free 30-day Select Access Get full AccessOrganizations are strongly advised to adopt a standard GRC framework.
5 Risk Model
A risk is crystalized when a threat exploits a vulnerability and overcomes controls to create an impact on assets.
GRC is primarily concerned with e ...
In this model there are five important elements:
- Assets – an organization’s value is made up of assets that have a value. If these assets ar ...
5.1 Managing Risks
The objective of risk management is to reduce the impact and / or the likelihood of a risk.
To manage risks, it is necessary to have a common unders ...
There are several standards that are relevant to managing different kinds of risks. The most general standard is ISO/IEC 31000:20155 Risk management ...
Login Free 30-day Select Access Get full Access5.1.1 Risk Management Process
The risk management process starts with the recognition that a risk exists. It then considers the risk using scenarios (what if studies). This leads t ...
Login Free 30-day Select Access Get full Access5.1.2 Risk Register
A key component of the overall GRC architecture is a register of all the identified risks. This helps to avoid the potential for misunderstandings by ...
Ideally, there should be one risk register for the whole organization. This helps to ensure a consistent approach to the management of all risks. Howe ...
Login Free 30-day Select Access Get full Access5.2 Risk Management Frameworks
There are several risk management frameworks including ISO/IEC 27005:2011 and NIST SP 800-37. Use the one most appropriate for your organization.
T ...
Login Free 30-day Select Access Get full Access6 GRC Process
GRC is a continuous process with several steps that should be repeated at regular intervals.
The major GRC processes are identifying and reviewing ...
- Requirements Review: this phase is concerned with an analysis and review of the organizational objectives in terms of risk and compliance.
- Policy ...
6.1 Requirements Analysis and Review
Requirements analysis and review is the most important phase since it sets out the strategic approach for the organization.
It is essential that th ...
Login Free 30-day Select Access Get full Access6.2 Policy and Control Definition
The various obligations and requirements identified need to be aligned, conflicts resolved, and redundancies removed.
Based on the requirements iden ...
Ideally, the requirements will be mapped to controls which may be manual, procedural or technical. As described previously controls reduce the probabi ...
Controls also provide the way for GRC to measure how well the policies are being followed as well as to protect against the risks. As previously descr ...
Login Free 30-day Select Access Get full Access6.3 Monitor and Review Effectiveness
How well the organizational policies and controls meet the current requirements should be regularly reviewed.
Central to this process is the collec ...
There are basically three kinds of sources for information on the status of control:
- Automated sources - such as IT systems, e.g. firewalls, int ...
6.4 Define Improvement Activities
Where weaknesses are identified the activities and projects that are needed to improve the current risk and compliance status should be specified.
T ...
Classical project portfolio management uses ROI (Return on Investment) and NPV (Net Present Value) to identify the projects with the best return. Howe ...
Login Free 30-day Select Access Get full Access6.5 Crisis and Incident Management
Ensuring that incidents are well managed is also a responsibility of GRC.
The plans for managing incidents must be prepared in advance and GRC has ...
The existence of an incident may be detected in various ways. It may result from a call to a help desk, automated monitoring of system activities and ...
Login Free 30-day Select Access Get full Access7 GRC Organization
The successful implementation of effective GRC needs a strong organizational structure. It must involve all the stakeholders as well as the senior man ...
Business Service Delivery focuses on providing exactly the services business needs, in the way business needs them, and at the time they are needed. I ...
The core work of the GRC group is steered by this committee. The GRC organization is responsible for:
- Creating and maintaining the GRC policy (and ...
8 Reporting and Visibility
There are two major kinds of reports on GRC required. The first set of reports is for use by GRC to monitor and review the status of controls and the ...
Login Free 30-day Select Access Get full Access8.1 Working Reports
These reports are intended to help the GRC group to review the performance of the organization against risk and compliance obligations. The data which ...
Login Free 30-day Select Access Get full Access8.2 Board Level Reporting
These reports should be used to communicate on the status of GRC to the organizational board of directors. Historically this has been a problematic ar ...
Login Free 30-day Select Access Get full Access9 Recommendations
The drivers and benefits of GRC include better alignment with corporate objectives, increased transparency, better risk management and more cost-effec ...
Login Free 30-day Select Access Get full Access10 Related Research
Advisory Note: Big Data Security, Governance, Stewardship - 72565
Buyer's Guide: Hybrid Cloud Services - 72562
Advisory Note: Cloud Services and Security - 72561
Advisory Note: How to Assure Cloud Services - 72563
Advisory Note: Maturity Level Matrix for GDPR Readiness - 72557
Whitepaper: TechDemocracy: Moving towards a holistic Cyber Risk Governance approach - 70360
Advisory Note: KRIs and KPI for Access Governance - 72559
Advisory Note: Sustainable Infrastructures through IT Compliance - 72025
Executive View: Introduction to Managing Risk - 71150
Advisory Note: The Future of IT Organizations - 71200
Endnotes
- OECG GRC capability model v3-0
- http://www.isaca.org/cobit/pages/default.aspx
- https://www.iso.org/iso-31000-risk-management.html
- http://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-Management/Pages/Risk-IT1.aspx
- https://www.iso.org/iso-31000-risk-management.html
- http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
- http://www.isaca.org/knowledge-center/risk-it-it-risk-management/pages/default.aspx
- https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview
- Introduction to Return on Security Investment — ENISA
- http://www.kuppingercole.com/report/advisorynote_futureofitorg71200141013