1 Executive Summary

GRC covers the areas of Governance, Risk and Compliance and this report refers to GRC in the context of delivering IT services to meet organizational goals. GRC is concerned with setting objectives, policies and controls and monitoring performance against these. This report provides an architecture for the successful implementation of GRC within an organization.

The drivers and benefits of GRC include better alignment with corporate objectives, increased transparency, better risk management and more cost-effective compliance. Information is a key asset of all organizations and technology plays an important role in its collection, creation, storage and use. For many organizations the processing of information is the sole function that underlies the services or products that they provide. Increasingly all organizations now rely on information processing to improve their products and levels of service while improving their efficiency. It is therefore important that this technology is well aligned with the business objectives. It is also critical that the well-publicized failures to adequately govern this technology such as data leakage are avoided.

Ensuring that the business risks stemming from the organizational use of IT are well managed is the fundamental task of GRC. In addition, organizations have obligations to comply with laws and regulations as well as to meet their contractual commitments and ensuring that the risks to these are also well managed is essential. However, risk means different things to different people and so it is important that organizations have a common vocabulary and model for risk. In this report risk is defined as being the effect of uncertainty on objectives and the objective of risk management is to reduce the impact and / or the likelihood of a risk.

GRC is a continuous process with several steps that must be repeated at regular intervals. These include identifying and reviewing the business risks and the compliance obligations, monitoring and reviewing how well these are managed, and defining the improvements that are needed. The obligations and requirements from various sources will almost certainly overlap and these need to be aligned, conflicts resolved, and redundancies removed. Where deficiencies are identified the activities and projects that are needed to improve the current risk and compliance status should be specified. These should be chosen using a project portfolio management approach and involve financial and strategic dimensions.

For GRC to be effective it needs a strong organizational structure. It must involve all the stakeholders as well as having board level sponsorship. GRC is responsible for setting risk and compliance objectives, defining polices and controls and monitoring risk and compliance. The service delivery and security management parts of the organization are responsible for delivering on these objectives.

One of the major problems with GRC in the past has been communication with the organizational board. To communicate effectively at this level, it important to focus on risk strategy objectives rather than technical controls. For example, describing the readiness of the organization to respond to a cyber incident / data leakage and showing the current maturity of the organizational risk controls against the target maturity using an agreed maturity model.

There are several tools on the market that help to automate the collection and analysis of performance data. Make sure that the one you choose maps easily onto the frameworks and processes that you have adopted.