Every year, the Society for Information Management conducts a survey to determine the top issues of CIOs from every major industry and from all sizes of companies. In 2006, a new concern popped up on the top 10 list: IT governance. 

The timing of this issue making the list is not surprising; it closely follows the forced compliance with the Sarbanes-Oxley Act, as well as other regulations such as HIPAA (Compare Network Auditing and Compliance products).

“SOX” was enacted in 2002 in response to the numerous corporate and accounting scandals of the day. SOX spurred an increased focus on corporate governance, risk and compliance (GRC) with laws and regulations concerned with business oversight. GRC encompasses the people, processes and technology that organizations invest in to comply with regulations and manage risk as part of running the company effectively and ethically.

To put it another way, GRC connects the dots between the regulations and mandates that touch almost every organization today.

Information technology governance, risk and compliance, or IT GRC, is the offspring of GRC. IT GRC augments and complements GRC by addressing the unique role that IT plays in organizations today. IT GRC helps to ensure that IT supports the needs of an organization while also mitigating the risks associated with IT. This is crucial, given that the livelihood of the organization is intricately linked to how well the IT function manages the availability, integrity, and confidence of the information and systems used to operate core business procedures.

In an effort to correlate business results to the level of implementation of IT GRC within organizations, the IT Policy Compliance Group performed a study of more than 2,600 companies and published the findings in its 2008 annual research report titled “IT Governance, Risk and Compliance – Improving business results and mitigating financial risk.”

The most important finding cited in this report is that “organizations with best business results are the same firms with the most mature [IT GRC] practices and the organizations with the worst business results are the same firms with the least mature [IT GRC] practices.” The key takeaway from the report is this: “The way to improve business results and reduce financial risk, loss and expense is to increase or enhance the competencies, practices and capabilities governing the use and disposition of IT resources.” In other words, you’d better practice good IT GRC if you want to have a successful company.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.