SC Magazine has published an eBook on GRC that is worth a review and contains some useful information around the Information Security aspect of GRC.
However, it is unclear (as is often the case when you talk about GRC) whether this piece will clarify the topic or make it even more confusing to readers.
First, the good:
- With quotes from my friend Michael Rasmussen and E&Y, it emphasizes the need to avoid silos in governance, risk management, and compliance processes.
- There is a list of 8 best practices for information security and privacy management by the CEO of Global Cyber Risk. Recommendations that may spark debate include separation of the chief information security officer from the chief privacy officer, with neither reporting to the CIO.
- It stresses that risk and information security should be owned by operating management, with advice from risk and security officers.
Now, the not so good:
- The piece does not make it clear whether GRC is just about IT issues or about the business as a whole (it should be the latter). While it mentions a lack of clarity about the meaning of GRC, it does little to address it and much to make it worse.
- It supports the use of an enterprise GRC solution (or set of solutions) to ensure integration across risk and compliance, while ignoring the fact that this will often result in silos in the IT infrastructure. I continue to be amazed that so few people understand the need for risk management and other solutions to be integrated with enterprise applications (such as the financial systems) so that ff0000;">risk and compliance can be embedded into business process and monitoring can be automated. The value of integrating risk management and audit management is far less than integrating risk management with ERP systems. In fact,ff0000;"> acquiring an integrated GRC solution set that is based on different technology from other enterprise applications can result in inefficiencies, separation of risk/compliance from business processes, and limitations of the overall IT infrastructure.
Much of the eBook is on the strength and weaknesses of enterprise GRC systems (which are a basket of related solutions for risk management, compliance management, policy management, and audit management and sometimes include one or more of user access control, continuous auditing/monitoring, identity management, and more – all depending on the vendor). Chris McLean of Forrester Research is an analyst in the GRC space. He points out that many organizations may have to go with point solutions to address specific compliance requirements, rather than a GRC solution. My view is that every organization should assess its needs, including the value technology would bring in:
- Risk management across the enterprise, including risk monitoring
- Compliance management
- Information security and privacy
- Performance management
- Standards, policies, and procedures management
- Support for governance activities, including the board
- Audit management
- Integration to enable a common and consistent view of risk, compliance, and performance – embedding risk and compliance in everyday decision-making and business processes
- IT infrastructure optimization, including cost, technical support capabilities, its ability to support growth and agility, and performance
- and more
Rather than presuming that your needs will be addressed by a GRC solution, get what is best for you and your business needs in the long term. Recognize that diversity in technology is NOT a good thing. It carries cost, limits business agility, and increases risk.