- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
The CIO-level business angle on the latest tech
By Linda Musthaler and Brian Musthaler
Get ready for a new buzz phrase to descend upon the IT department: “governance, risk management and compliance,” or GRC. You’re probably already familiar with compliance, especially if your company has to comply with regulations such as Sarbanes-Oxley, HIPAA, GLBA or any number of other government or industry regulations. Now it’s time to understand your role in corporate governance and risk management.
Looking at your company as a whole, there are people at the top who are trusted with running the company in an ethical way, making sure that the company establishes appropriate objectives and shows measured achievements toward those objectives. This is governance. Up until the days of Enron, WorldCom, et. al., governance took place quietly in the background. Now it has been thrust into the spotlight, and it is much more closely tied to risk management and compliance.
Risk management is the practice of identifying, measuring, reporting on and appropriately managing the risks that could impact the company’s governance objectives. For example, risk managers look for competitive threats, political situations and new government regulations that could impact the business. They study the known risks and come up with ways to mitigate them.
Compliance, of course, has taken center stage for the past five years or so. Companies of every ilk are required to comply with numerous rules for how they conduct their business. What’s more, they need to be able to prove they comply. Sarbox, for instance, requires that the CEO and CFO certify financial statements. In some cases, there are severe penalties for non-compliance with regulations.
Not long ago, governance, risk management and compliance were unique disciplines that were managed by unique individuals and departments. In other words, they were silos. Each silo had its own set of tools and software applications to assist with its specific management and reporting requirements. Today, that silo strategy is changing to one of an integrated framework called GRC with the purpose of providing a holistic view of a company’s health and well-being.
According to Wikipedia, GRC is a type of enterprise software that ensures that a business complies with legal requirements. Initial interest in GRC was driven by the Sarbanes-Oxley Act, but GRC software requirements have changed and now are seen as a means to achieve Enterprise Risk Management. Specifically, GRC has evolved from managing risk as a transaction or compliance activity to adding business value by improving operational decision making and strategic planning. The GRC software becomes the governance platform for defining, maintaining, and monitoring risk.
IT plays an important role in making governance, risk management and compliance more efficient and effective. Every aspect of business activity - R&D, manufacturing, business transactions and finance - relies on databases, applications, computers and communications networks, all supporting vital business processes. GRC from an IT perspective aligns these IT operations with corporate goals and business objectives, identifies material IT risks through risk assessments, and aids in the prevention and reduction of IT incidents and losses.