Governance, risk management and compliance and what it means to you

* GRC: governance, risk management and compliance

By Linda Musthaler and Brian Musthaler

Get ready for a new buzz phrase to descend upon the IT department: “governance, risk management and compliance,” or GRC. You’re probably already familiar with compliance, especially if your company has to comply with regulations such as Sarbanes-Oxley, HIPAA, GLBA or any number of other government or industry regulations. Now it’s time to understand your role in corporate governance and risk management.

Looking at your company as a whole, there are people at the top who are trusted with running the company in an ethical way, making sure that the company establishes appropriate objectives and shows measured achievements toward those objectives. This is governance. Up until the days of Enron, WorldCom, et. al., governance took place quietly in the background. Now it has been thrust into the spotlight, and it is much more closely tied to risk management and compliance.

Risk management is the practice of identifying, measuring, reporting on and appropriately managing the risks that could impact the company’s governance objectives. For example, risk managers look for competitive threats, political situations and new government regulations that could impact the business. They study the known risks and come up with ways to mitigate them.

Compliance, of course, has taken center stage for the past five years or so. Companies of every ilk are required to comply with numerous rules for how they conduct their business. What’s more, they need to be able to prove they comply. Sarbox, for instance, requires that the CEO and CFO certify financial statements. In some cases, there are severe penalties for non-compliance with regulations.

Not long ago, governance, risk management and compliance were unique disciplines that were managed by unique individuals and departments. In other words, they were silos. Each silo had its own set of tools and software applications to assist with its specific management and reporting requirements. Today, that silo strategy is changing to one of an integrated framework called GRC with the purpose of providing a holistic view of a company’s health and well-being.

According to Wikipedia, GRC is a type of enterprise software that ensures that a business complies with legal requirements. Initial interest in GRC was driven by the Sarbanes-Oxley Act, but GRC software requirements have changed and now are seen as a means to achieve Enterprise Risk Management. Specifically, GRC has evolved from managing risk as a transaction or compliance activity to adding business value by improving operational decision making and strategic planning. The GRC software becomes the governance platform for defining, maintaining, and monitoring risk.

IT plays an important role in making governance, risk management and compliance more efficient and effective. Every aspect of business activity - R&D, manufacturing, business transactions and finance - relies on databases, applications, computers and communications networks, all supporting vital business processes. GRC from an IT perspective aligns these IT operations with corporate goals and business objectives, identifies material IT risks through risk assessments, and aids in the prevention and reduction of IT incidents and losses.

There are many IT application vendors that address one aspect or another of governance, risk management and compliance. Most of these vendors are still using the silo approach. However, we recently came across a vendor taking a fully integrated standards-based approach to GRC.

Agiliance designed a platform that is a top-down policy and control framework. The product, called Agiliance IT-GRC, begins with the best practices framework of ISO 17799/27001. Agiliance adds in the control objectives of other standards such as COBIT, FFIEC, NIST-SP800-53, and so on. Having all these overlapping objectives viewable and measurable in one place is the heart of Agiliance IT-GRC.

On top of all the standard control objectives, your company can utilize the government regulations affecting your particular company (e.g., GLBA, Sarbox, HIPAA); the industry mandates affecting your company (e.g., PCI, SAS 70); and your unique company policies. The compliance engine is a check list; you choose only the controls that apply to your company.

The final piece to add to the framework is your company’s specific set of IT controls and policies, including manual policies (e.g., backup media controls, physical access controls); automated policies (e.g., OS configuration controls, application access controls); and integrated process controls (e.g., change management controls, HR recruiting controls). Additionally, Agiliance provides connectors that gradually extend automation of monitored controls. Now the view of how your company measures compliance against its applicable controls becomes very precise.

Agiliance uses risk metrics from multiple sources, including automated and manual controls. The risk analysis is multi-dimensional, taking into account asset criticality and business impact, as well as aggregated security data, such as vulnerabilities, and a score of compliance controls. The risk management features help you see how you can mitigate, accept, transfer and avoid risks, and includes an ROI calculation to help you decide your mitigation plans. In short, this solution helps you focus on the risks that really matter.

There are a few key things we find interesting about Agiliance IT-GRC:

* The framework does not deploy any agents on the desktop. Existing asset information is readily imported and synchronized from sources such as Active Directory, most CMDBs, and even spreadsheets.

* The tool can help a company define and deploy policies. You can go beyond IT compliance and extend to business operational compliance.

* Unlike the silo-oriented tools, this product provides an integrated solution for the IT practitioner who has to implement corporate policies over the IT infrastructure, as well as the C-level officers responsible for security, risk, and/or compliance who need a mechanism that allows for reporting, planning and integration of IT GRC to the corporate objectives. In other words, both sides of the IT GRC coin are working from a common framework.

So, when it comes to GRC, you’d better master that buzzword. According to Gartner, “companies that pursue an integrated strategy of a risk-oriented approach to compliance, standardization of controls and automation will reduce the scope of manual process controls by 70% and will get the most collateral business value from their compliance investments.” And that's a good thing.

Linda Musthaler and Brian Musthaler are co-founders and the principal analysts of Essential Solutions Corp. You can write to Linda and to Brian. Get more of Linda's views here.

About Essential Solutions Corp: Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT. To view archives of the Technology Executive Newsletter, click here
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.