1/30/2015

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

Governance,riskmanagement,andcompliance
FromWikipedia,thefreeencyclopedia

Governance,riskmanagement,andcomplianceorGRCistheumbrellatermcoveringanorganization's
approachacrossthesethreeareas:Governance,riskmanagement,andcompliance.[1][2][3]

Contents
1Overview
2GRCtopics
2.1Basicconcepts
2.2GRCmarketsegmentation
2.3GRCproductvendors
2.4GRCdatawarehousingandbusinessintelligence
2.5Integratedgovernance,riskandcompliancy
3GRCresearch
4Seealso
5References
6Furtherreading

Overview
GRCisadisciplinethataimstosynchronizeinformationandactivityacrossgovernance,riskmanagement
andcomplianceinordertocreateefficiency,enablemoreeffectiveinformationsharingandreportingand
avoidwastefuloverlaps.Whileinterpreteddifferentlyinvariousorganizations,GRCtypicallyencompasses
activitiessuchascorporategovernance,enterpriseriskmanagement(ERM)andcorporatecompliancewith
applicablelawsandregulations.
Organizationsreachasizewherecoordinatedcontrolovergovernance,riskmanagementandcompliance
(GRC)activitiesisrequiredtooperateeffectively.Eachofthesethreedisciplinescreatesinformationof
valuetotheothertwo.EachofthethreeGRCdisciplinestouchandimpactthesametechnologies,people,
processesandinformationinanyorganization.
Wheregovernance,riskmanagementandcompliancearemanagedindependentlyfromeachother,the
organizationwillhavesubstantialduplicationsoftasks.OverlappingandduplicatedGRCactivities
negativelyimpactboth(i)operationalcostsand(ii)GRCmetrics.Forexample,eachinternalservicemight
beauditedandassessedbymultiplegroupsonanannualbasis,creatingenormouscostanddisconnected
results.

http://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

1/7

1/30/2015

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

AdisconnectedGRCapproachwillalsomanifestasaninabilityfortheorganizationtoproviderealtime
GRCexecutivereports.Likeabadlyplannedtransportsystem,everyindividualroutewilloperate,butthe
networkwillnothavethequalitiesthatallowthemtoworkeffectivelytogether.
Duetothechangesintechnologies,theincreasesindatastorage,marketglobalizationandincreased
regulation,thenumberofGRCrelatedrequirementsthatmostorganizationsmustsustainhasbecome
unmanageableiftackledinatraditional'silo'approach.

GRCtopics
Basicconcepts
Governancedescribestheoverallmanagementapproachthroughwhichseniorexecutivesdirectand
controltheentireorganization,usingacombinationofmanagementinformationandhierarchical
managementcontrolstructures.Governanceactivitiesensurethatcriticalmanagementinformation
reachingtheexecutiveteamissufficientlycomplete,accurateandtimelytoenableappropriate
managementdecisionmaking,andprovidethecontrolmechanismstoensurethatstrategies,
directionsandinstructionsfrommanagementarecarriedoutsystematicallyandeffectively.[4]
Governanceofriskmanagementistheattentiongiventopreventingexcessiveriskmanagementby
keepinginmindtheorganisation'sappetiteforrisk.Sufficientcountermeasuresarerequiredrather
thanexcessive,unnecessaryandpointlessmeasures.Theriskofriskmanagementisthatthegood
intentionsbecomewastefulexpenditureorimpedimentstogrowth,innovationandopportunity.
Riskmanagementisthesetofprocessesthroughwhichmanagementidentifies,analyzes,and,where
necessary,respondsappropriatelytorisksthatmightadverselyaffectrealizationoftheorganization's
businessobjectives.Theresponsetoriskstypicallydependsontheirperceivedgravity,andinvolves
controlling,avoiding,acceptingortransferringthemtoathirdparty.Whereasorganizationsroutinely
manageawiderangeofrisks(e.g.technologicalrisks,commercial/financialrisks,information
securityrisksetc.),externallegalandregulatorycompliancerisksarearguablythekeyissueinGRC.
Compliancemeansconformingwithstatedrequirements.Atanorganizationallevel,itisachieved
throughmanagementprocesseswhichidentifytheapplicablerequirements(definedforexamplein
laws,regulations,contracts,strategiesandpolicies),assessthestateofcompliance,assesstherisks
andpotentialcostsofnoncomplianceagainsttheprojectedexpensestoachievecompliance,and
henceprioritize,fundandinitiateanycorrectiveactionsdeemednecessary.

GRCmarketsegmentation
AGRCprogramcanbeinstitutedtofocusonanyindividualareawithintheenterprise,orafullyintegrated
GRCisabletoworkacrossallareasoftheenterprise,usingasingleframework.
http://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

2/7

1/30/2015

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

AfullyintegratedGRCusesasinglecoresetofcontrolmaterial,mappedtoalloftheprimarygovernance
factorsbeingmonitored.Theuseofasingleframeworkalsohasthebenefitofreducingthepossibilityof
duplicatedremedialactions.
WhenreviewedasindividualGRCareas,thethreemostcommonindividualheadingsareconsideredtobe
FinancialGRC,ITGRC,andLegalGRC.
FinancialGRCrelatestotheactivitiesthatareintendedtoensurethecorrectoperationofallfinancial
processes,aswellascompliancewithanyfinancerelatedmandates.
ITGRCrelatestotheactivitiesintendedtoensurethattheIT(InformationTechnology)organization
supportsthecurrentandfutureneedsofthebusiness,andcomplieswithallITrelatedmandates.
LegalGRCfocusesontyingtogetherallthreecomponentsviaanorganization'slegaldepartmentand
chiefcomplianceofficer.
AnalystsdisagreeonhowtheseaspectsofGRCaredefinedasmarketcategories.Gartnerhasstatedthatthe
broadGRCmarketincludesthefollowingareas:
FinanceandauditGRC
ITGRCmanagement
Enterpriseriskmanagement.
TheyfurtherdividetheITGRCmanagementmarketintothesekeycapabilities.Althoughthislistrelatesto
ITGRC,asimilarlistofcapabilitieswouldbesuitableforotherareasofGRC.
Controlsandpolicylibrary
Policydistributionandresponse
ITControlsselfassessmentandmeasurement
ITAssetrepository
Automatedgeneralcomputercontrol(GCC)collection
Remediationandexceptionmanagement
Reporting
AdvancedITriskevaluationandcompliancedashboards

GRCproductvendors
ThedistinctionsbetweenthesubsegmentsofthebroadGRCmarketareoftennotclear.Withalarge
numberofvendorsenteringthismarketrecently,determiningthebestproductforagivenbusinessproblem
canbechallenging.Giventhattheanalystsdontfullyagreeonthemarketsegmentation,vendor
positioningcanincreasetheconfusion.
Duetothedynamicnatureofthismarket,anyvendoranalysisisoftenoutofdaterelativelysoonafterits
publication.
Broadly,thevendormarketcanbeconsideredtoexistin3segments:
http://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

3/7

1/30/2015

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

IntegratedGRCsolutions(multigovernanceinterest,enterprisewide)
DomainspecificGRCsolutions(singlegovernanceinterest,enterprisewide)
PointsolutionstoGRC(relatetoenterprisewidegovernanceorenterprisewideriskorenterprise
widecompliancebutnotincombination.)
IntegratedGRCsolutionsattempttounifythemanagementoftheseareas,ratherthantreatthemasseparate
entities.Anintegratedsolutionisabletoadministeronecentrallibraryofcompliancecontrols,butmanage,
monitorandpresentthemagainsteverygovernancefactor.Forexample,inadomainspecificapproach,
threeormorefindingscouldbegeneratedagainstasinglebrokenactivity.Theintegratedsolution
recognizesthisasonebreakrelatingtothemappedgovernancefactors.
DomainspecificGRCvendorsunderstandthecyclicalconnectionbetweengovernance,riskand
compliancewithinaparticularareaofgovernance.Forexample,withinfinancialprocessingthatarisk
willeitherrelatetotheabsenceofacontrol(needtoupdategovernance)and/orthelackofadherenceto(or
poorqualityof)anexistingcontrol.AninitialgoalofsplittingoutGRCintoaseparatemarkethasleftsome
vendorsconfusedaboutthelackofmovement.Itisthoughtthatalackofdeepeducationwithinadomain
ontheauditside,coupledwithamistrustofauditingeneralcausesariftinacorporateenvironment.
However,therearevendorsinthemarketplacethat,whileremainingdomainspecific,havebegun
marketingtheirproducttoendusersanddepartmentsthat,whileeithertangentialoroverlapping,have
expandedtoincludetheinternalcorporateinternalaudit(CIA)andexternalauditteams(tier1bigfour
ANDtiertwoandbelow,informationsecurityandoperations/productionasthetargetaudience.This
approachprovidesamore'openbook'approachintotheprocess.Iftheproductionteamwillbeauditedby
CIAusinganapplicationthatproductionalsohasaccessto,isthoughttoreduceriskmorequicklyasthe
endgoalisnottobe'compliant'buttobe'secure,'orassecureaspossible.
PointsolutionstoGRCaremarkedbytheirfocusonaddressingonlyoneofitsareas.Insomecasesof
limitedrequirements,thesesolutionscanserveaviablepurpose.However,becausetheytendtohavebeen
designedtosolvedomainspecificproblemsingreatdepth,theygenerallydonottakeaunifiedapproach
andarenottolerantofintegratedgovernancerequirements.Informationsystemswilladdressthesematters
betteriftherequirementsforGRCmanagementareincorporatedatthedesignstage,aspartofacoherent
framework.[5]

GRCdatawarehousingandbusinessintelligence
GRCvendorswithanintegrateddataframeworkarenowabletooffercustombuiltGRCdatawarehouse
andbusinessintelligencesolutions.ThisallowshighvaluedatafromanynumberofexistingGRC
applicationstobecollatedandanalysed.
TheaggregationofGRCdatausingthisapproachaddssignificantbenefitintheearlyidentificationofrisk
andbusinessprocess(andbusinesscontrol)improvement.
Furtherbenefitstothisapproachinclude(i)itallowsexisting,specialistandhighvalueapplicationsto
continuewithoutimpact(ii)organizationscanmanageaneasiertransitionintoanintegratedGRCapproach
becausetheinitialchangeisonlyaddingtothereportinglayerand(iii)itprovidesarealtimeabilityto
compareandcontrastdatavalueacrosssystemsthatpreviouslyhadnocommondatascheme.

Integratedgovernance,riskandcompliancy
http://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

4/7

1/30/2015

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

AnintegratedGRC(iGRC)takesinformationfeedsfromoneormoresourcesthatdetectorsense
deviations,defectsorotherpatternsfromsecurityorbusinessapplications.Thiscanincludeactivesensor
technologiessuchasthosetoprotect,monitorandmanageinformationnetworksandsystems.By
combiningGRCtechnologiessuchaswebbasedinformationsecuritymanagementsystemswithnetwork
securityrelatedsensortechnologies,itissuggestedthatdefencesagainstcyberattacksareenhancedinreal
time.
Typicalsensortypesinclude:
hostbasedintrusiondetection,vulnerabilityassessment,configurationandpolicycompliance,
databaselogs,websitelogs,fileaccesses
hostsforpenetrationtesting,emailscanning,spamfilters
networkintrusiondetectionandprevention,netflow,firewall/router/othernetworkdeviceslogs
accessandidentityforsuccessfulorfailedlogins,newusers,deletedusers,privilegeescalation,bio
metricidentities
websitevulnerabilitydetection(crosssitescripting,SQLinjectionetc.),pagesvisited,referredfrom
endpointmonitoringsuchaspermitteduseractivity,notpermitteduseractivity,dataleakage
monitoring,USBusagemonitoringandreporting
antivirus,antiphishing,malwaredetection
applicationsmostkeepauditlogsofactivity,and
otherssuchaseventandauditlogcollectionforoperatingsystems,infrastructureandapplications
CybercrimehastakenonsuchsubstantialimportanceinrecentyearsthattargetorganisationsforiGRC
softwarearelikelytobethosesupportingcriticalnationalinfrastructure,e.g.verticalsandindustrieswith
significantbrand/reputationrisk.ItissuggestedthattheprimaryvaluepropositionforiGRCisasfollows:
ToprovideaninsurancepolicyforCEOswantingtoassuretheintegrityofcriticalcontrolsand
measurestomaintainlowprobabilityofoccurrenceofhighimpactriskevents
Calibrationofriskprofilesintheroundandvalidationofcontrolsandmeasuresbaselines
Automatisationcapabilitiesofcontrolstatusandthreatlevelchange
AniGRCconfigurationisGRCtechnologycoupledtonetworksensorsviatheopenGRCiPprotocolto
enablerecognitionofthreatsatanearlystagethroughtheautomatisationofcontrolstatusandthreatlevel
changeandthenenablingthemeasurestoavoidit,therebyderiskingtheenterpriseasawhole.

GRCresearch
Apublicationreviewcarriedoutin2009foundthattherewashardlyanyscientificresearchonGRC.The
authorswentontoderivethefirstGRCshortdefinitionfromanextensiveliteraturereview.Subsequently
thedefinitionwasvalidatedinasurveyamongGRCprofessionals."GRCisanintegrated,holisticapproach
toorganisationwideGRCensuringthatanorganisationactsethicallycorrectandinaccordancewithits
riskappetite,internalpoliciesandexternalregulationsthroughthealignmentofstrategy,processes,
technologyandpeople,therebyimprovingefficiencyandeffectiveness."
http://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

5/7

1/30/2015

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

TheauthorsthentranslatedthedefinitionintoaframeofreferenceforGRCresearch.
EachofthecoredisciplinesGovernance,RiskManagementandComplianceconsistsofthefourbasic
components:strategy,processes,technologyandpeople.Theorganisation'sriskappetite,itsinternal
policiesandexternalregulationsconstitutetherulesofGRC.Thedisciplines,theircomponentsandrules
arenowtobemergedinanintegrated,holisticandorganisationwide(thethreemaincharacteristicsof
GRC)manneralignedwiththe(business)operationsthataremanagedandsupportedthroughGRC.In
applyingthisapproach,organisationslongtoachievetheobjectives:ethicallycorrectbehaviour,and
improvedefficiencyandeffectivenessofanyoftheelementsinvolved.[6]

Seealso
Conformityassessment
Recordsmanagement
Regulatorycompliance

References
1. ^AnthonyTarantino(20080225),Governance,Risk,andComplianceHandbook
(http://books.google.co.uk/books?id=3aUyqPxYw10C),ISBN9780470095898
2. ^DeniseVuBroady,HollyA.Roland(20080425),"TheABCsofGRC",SAPGRCForDummies
(http://books.google.co.uk/books?id=1Vi35vE6c1IC&pg=PA9),ISBN9780470333174
3. ^Silveira,P.,Rodriguez,C.,Birukou,A.,Casati,F.,Daniel,F.,D'Andrea,V.,Worledge&C.,Zouhair,T.
(2012),AidingComplianceGovernanceinServiceBasedBusinessProcesses(http://www.igi
global.com/chapter/handbookresearchserviceorientedsystems/60900),IGIGlobal,pp.524548,retrieved
20130406
4. ^Lamm,Blount,etc.,UnderControl:GovernanceAcrosstheEnterprise(http://www.amazon.com/Under
ControlGovernanceAcrossEnterprise/dp/1430215925),retrieved20130406
5. ^Bonazzi,R.,Hussami,L.&Pigneur,Y.(2009),"ComplianceManagementisBecomingaMajorIssueinIS
Design",inD'atri,AlessandroSacc,Domenico,InformationSystems:People,Organizations,Institutions,and
Technologies(http://people.hec.unil.ch/ypigneur/files/2010/01/complianceManagement.pdf),Springer,pp.391
398,doi:10.1007/9783790821482(https://dx.doi.org/10.1007%2F9783790821482),retrieved20130406
6. ^Racz,N.,Weippl,E.&Seufert,A.(2010),BartDeDecker,IngridSchaumllerBichl,ed.,Aframeof
referenceforresearchofintegratedGRC,CommunicationsandMultimediaSecurity,11thIFIPTC6/TC11
InternationalConference,CMS2010Proceedings,Berlin:Springer,pp.106117,ISBN9783642132407

Furtherreading
AdamKrug(20110412),"GovernanceRiskandCompliance&HSESoftwareSystemCaseStudies
(http://www.cmo
compliance.com/GRC_HSEQ_Safety_Environment_Software_Implementation_Case_Studies.html)",
http://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

6/7

1/30/2015

Governance,riskmanagement,andcomplianceWikipedia,thefreeencyclopedia

CaseStudies134
Retrievedfrom"http://en.wikipedia.org/w/index.php?
title=Governance,_risk_management,_and_compliance&oldid=634603233"
Categories: Businesssoftware Enterprisemodelling
Thispagewaslastmodifiedon19November2014,at22:10.
TextisavailableundertheCreativeCommonsAttributionShareAlikeLicenseadditionaltermsmay
apply.Byusingthissite,youagreetotheTermsofUseandPrivacyPolicy.Wikipediaisa
registeredtrademarkoftheWikimediaFoundation,Inc.,anonprofitorganization.

http://en.wikipedia.org/wiki/Governance,_risk_management,_and_compliance

7/7