KuppingerCole Report
Advisory Note
By Mike Small

GRC Reference Architecture

GRC covers the areas of Governance, Risk and Compliance and this report refers to GRC in the context of delivering IT services to meet organizational goals. GRC is concerned with setting objectives, policies and controls and monitoring performance against these. This report provides an architecture for the successful implementation of GRC within an organization.
By
sm@kuppingercole.com

Content of Figures

  1. Figure 1 GRC Overview
  2. Figure 2 Governance versus Management
  3. Figure 3 Comparison of Major GRC Frameworks
  4. Figure 4 Risk Model
  5. Figure 5 Risk Management
  6. Figure 6 Risk Assessment
  7. Figure 7 Risk Register
  8. Figure 8 GRC Process
  9. Figure 9 Policy and Control Definition
  10. Figure 10 Controls Mapped to Multiple Requirements
  11. Figure 11 Review of Effectiveness
  12. Figure 12 Define Improvement Needs
  13. Figure 13 Crisis and Incident Response
  14. Figure 14 The Future IT Paradigm by KuppingerCole – guideline for the future of Enterprise IT
  15. Figure 15 GRC Steering Committee

1 Executive Summary

GRC covers the areas of Governance, Risk and Compliance and this report refers to GRC in the context of delivering IT services to meet organizational ...

Login Get full Access

2 Highlights

This report provides recommendations for how the governance risk and compliance should be organized and implemented. The highlights of the report are: ...

Login Get full Access

3 What is GRC?

GRC is the integrated set of capabilities that ensure the reliable execution of organizational goals.

GRC covers the areas of Governance, Risk and C ...

Login Get full Access

3.1 Governance

Governance sets the objectives and rules while management executes the processes.

Governance is the set of policies, procedures, practices and organ ...

The governance process sets the business objectives and defines the policies and rules within which these services must be delivered. The management p ...

Login Get full Access

3.2 Risk

Risk is the effect of uncertainty on objectives - ISO 31000:20153.

The word risk is in common use and means different things to different people. ...

Login Get full Access

3.3 Compliance

The range of laws and regulations and the way in which IT has become an integral component of the organization means that compliance management has be ...

Login Get full Access

3.4 Drivers and Benefits

The drivers and benefits of GRC include better alignment with corporate objectives, increased transparency, better risk management and more cost-effec ...

Login Get full Access

4 GRC Frameworks

There are several frameworks for IT GRC and it is strongly advised that organizations adopt and use one of these.

Frameworks help an organization to ...

Organizations are strongly advised to adopt a standard GRC framework.

Login Get full Access

5 Risk Model

A risk is crystalized when a threat exploits a vulnerability and overcomes controls to create an impact on assets.

GRC is primarily concerned with e ...

In this model there are five important elements:

  • Assets – an organization’s value is made up of assets that have a value. If these assets ar ...
Login Get full Access

5.1 Managing Risks

The objective of risk management is to reduce the impact and / or the likelihood of a risk.

To manage risks, it is necessary to have a common unders ...

There are several standards that are relevant to managing different kinds of risks. The most general standard is ISO/IEC 31000:20155 Risk management ...

Login Get full Access

5.1.1 Risk Management Process

The risk management process starts with the recognition that a risk exists. It then considers the risk using scenarios (what if studies). This leads t ...

Login Get full Access

5.1.2 Risk Register

A key component of the overall GRC architecture is a register of all the identified risks. This helps to avoid the potential for misunderstandings by ...

Ideally, there should be one risk register for the whole organization. This helps to ensure a consistent approach to the management of all risks. Howe ...

Login Get full Access

5.2 Risk Management Frameworks

There are several risk management frameworks including ISO/IEC 27005:2011 and NIST SP 800-37. Use the one most appropriate for your organization.

T ...

Login Get full Access

6 GRC Process

GRC is a continuous process with several steps that should be repeated at regular intervals.

The major GRC processes are identifying and reviewing ...

  • Requirements Review: this phase is concerned with an analysis and review of the organizational objectives in terms of risk and compliance.
  • Policy ...
Login Get full Access

6.1 Requirements Analysis and Review

Requirements analysis and review is the most important phase since it sets out the strategic approach for the organization.

It is essential that th ...

Login Get full Access

6.2 Policy and Control Definition

The various obligations and requirements identified need to be aligned, conflicts resolved, and redundancies removed.

Based on the requirements iden ...

Ideally, the requirements will be mapped to controls which may be manual, procedural or technical. As described previously controls reduce the probabi ...

Controls also provide the way for GRC to measure how well the policies are being followed as well as to protect against the risks. As previously descr ...

Login Get full Access

6.3 Monitor and Review Effectiveness

How well the organizational policies and controls meet the current requirements should be regularly reviewed.

Central to this process is the collec ...

There are basically three kinds of sources for information on the status of control:

  • Automated sources - such as IT systems, e.g. firewalls, int ...
Login Get full Access

6.4 Define Improvement Activities

Where weaknesses are identified the activities and projects that are needed to improve the current risk and compliance status should be specified.

T ...

Classical project portfolio management uses ROI (Return on Investment) and NPV (Net Present Value) to identify the projects with the best return. Howe ...

Login Get full Access

6.5 Crisis and Incident Management

Ensuring that incidents are well managed is also a responsibility of GRC.

The plans for managing incidents must be prepared in advance and GRC has ...

The existence of an incident may be detected in various ways. It may result from a call to a help desk, automated monitoring of system activities and ...

Login Get full Access

7 GRC Organization

The successful implementation of effective GRC needs a strong organizational structure. It must involve all the stakeholders as well as the senior man ...

Business Service Delivery focuses on providing exactly the services business needs, in the way business needs them, and at the time they are needed. I ...

The core work of the GRC group is steered by this committee. The GRC organization is responsible for:

  • Creating and maintaining the GRC policy (and ...
Login Get full Access

8 Reporting and Visibility

There are two major kinds of reports on GRC required. The first set of reports is for use by GRC to monitor and review the status of controls and the ...

Login Get full Access

8.1 Working Reports

These reports are intended to help the GRC group to review the performance of the organization against risk and compliance obligations. The data which ...

Login Get full Access

8.2 Board Level Reporting

These reports should be used to communicate on the status of GRC to the organizational board of directors. Historically this has been a problematic ar ...

Login Get full Access

9 Recommendations

The drivers and benefits of GRC include better alignment with corporate objectives, increased transparency, better risk management and more cost-effec ...

Login Get full Access

10 Related Research

Advisory Note: Big Data Security, Governance, Stewardship - 72565
Buyer's Guide: Hybrid Cloud Services - 72562
Advisory Note: Cloud Services and Security - 72561
Advisory Note: How to Assure Cloud Services - 72563
Advisory Note: Maturity Level Matrix for GDPR Readiness - 72557
Whitepaper: TechDemocracy: Moving towards a holistic Cyber Risk Governance approach - 70360
Advisory Note: KRIs and KPI for Access Governance - 72559
Advisory Note: Sustainable Infrastructures through IT Compliance - 72025
Executive View: Introduction to Managing Risk - 71150
Advisory Note: The Future of IT Organizations - 71200

Endnotes

  1. OECG GRC capability model v3-0
  2. http://www.isaca.org/cobit/pages/default.aspx
  3. https://www.iso.org/iso-31000-risk-management.html
  4. http://www.isaca.org/Knowledge-Center/Risk-IT-IT-Risk-Management/Pages/Risk-IT1.aspx
  5. https://www.iso.org/iso-31000-risk-management.html
  6. http://csrc.nist.gov/publications/nistpubs/800-30-rev1/sp800_30_r1.pdf
  7. http://www.isaca.org/knowledge-center/risk-it-it-risk-management/pages/default.aspx
  8. https://csrc.nist.gov/projects/risk-management/risk-management-framework-(RMF)-Overview
  9. Introduction to Return on Security Investment — ENISA
  10. http://www.kuppingercole.com/report/advisorynote_futureofitorg71200141013

Copyright

©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top