Not so long ago, the IT world was only about the technology. But as more CIOs appeared on the scene, companies began to realize that IT had to be better managed and had to align more closely with business objectives. Thus IT governance gained ground. Now things are being elevated up another notch. IT governance is beginning to be swallowed up by the more broadly encompassing field of governance, risk and compliance (GRC). In a recent KPMG survey, 64% of executives indicated that GRC convergence is a priority for their organization.
“CEOs continue to demand more from IT than ever before, but there continues to be a credibility gap with the performance of the IT group, and the technology it provides and maintains,” said Tony Torchia, a Pittsburgh-based KPMG Partner and the firm’s IT GRC network services leader. “At the same time, CIOs are often frustrated by their lack of participation in, and exposure to, the goal-setting of the business. By aligning IT governance with corporate governance in the context of a holistic approach to GRC, executives may begin to close the gap and realize the benefits of convergence.”
David Hill, an analyst at the Mesabi Group, explains that GRC is actually a fairly new umbrella concept that can be applied to all levels of governance. “Starting at the top, we have corporate governance, under that we have IT governance and under IT governance we have information (or data) governance,” said Hill. IT governance, then, becomes but one aspect of a coordinated GRC program. IT governance is usually managed and directed by the CIO. The other areas, such as risk and compliance were typically addressed by other individuals such as a CISO, risk manager and chief compliance officer. Sometimes this led to a disconnection between the various functions.
A holistic view of GRC can allow organizations, said Torchia, to get a handle on disparate and potentially redundant risk and compliance processes and programs across the enterprise. When there are many risk initiatives with no clear integrated goal or objective programs, the likely result is a sluggish organization. He’s talking about the tendency of companies to react to new regulations and business changes by building ad hoc governance processes, increasing their risk management practices and designing incremental compliance activities. As IT is usually the enabler for all of these programs, redundancies swell, leading to a costly and complex web of often uncoordinated structures, policies and practices.
Defining GRC
OK. So what is GRC exactly? French Caldwell, a Gartner analyst, breaks it down the various elements as follows:
- Governance – The process by which policy is set and decision making is executed.
- Risk Management – The process for ensuring that important business processes and behaviors remain within the tolerances associated with those policies and decisions, going beyond which creates an unacceptable potential for loss.
- Compliance – The process of adherence to policies and decisions. Policies can be derived from internal directives, procedures and requirements, or external laws, regulations, standards and agreements.
In a global KPMG study of executives, the top three reasons why they implemented a GRC program were to simplify overall business complexity (44 percent), reduce organizational risk exposure (37 percent) and improve corporate performance (32 percent). The reasons for the growth in acceptance of GRC are not hard to fathom. Vivian Tero, program manager for GRC Infrastructure at research house IDC, points out that IT governance tends to fall short of its goals when it is too project based and too narrowly focused on new software development, deployment, testing and implementation. Thus typical governance efforts in IT tend to be too tactical. “GRC is an ongoing practice for managing risk and compliance,” said Tero. “The governance aspect deals with measuring and tracking accountability in the ongoing IT risk and IT compliance activities.”
She advised CIOs and IT staff to move away from subjective measures and onto empirical measures to quantify risk. This includes a definition of corporate risk baseline (or appetite for risks) so that all IT activities, remediation decisions and prioritizes are based off quantified empirical measures. It also requires greater transparency and understanding of dependencies across IT risks, compliance requirements, IT assets and the technical processes.
“Convergence Divergence”
While surveys indicate a perceived need, the reality is these functions continue to be done largely in isolation. Chris McClean, an analyst with Forrester, said he is not seeing a lot of convergence between IT governance and GRC. As a result, the application of GRC towards IT initiatives often doesn’t include the governance aspects of the CIO’s role. Where he sees the greatest potential for convergence, then is in the link between risk and performance management.
“Although uncommon, some companies are defining IT risks as they relate to the achievement of IT objectives” (e.g., the risks that might impact system up time, data confidentiality, etc.), said McClean. “This allows IT departments to make more balanced decisions that help to improve support for the business without exposing it to unacceptable risks.”
Any planned move toward convergence will require a lot of organizations to change the way they approach governance, risk management, and IT compliance. Anyone embarking upon this path should foster more collaboration between risk, compliance, audit, and IT disciplines, and better understand how these groups should support each other. According to McClean, the costs and processes required to make these changes will be difficult, but they should lead to better understanding of how to improve IT’s support for the business.
But Scott Gracyalny, managing director & global leader of Risk Technology Services for risk consultancy Protiviti, Inc., believes the time is right for GRC to come of age. Historically, IT governance has been in the realm of the CIO and has been focused on complying with internal policies and procedures. The GRC effort, on the other hand, is largely focused on the “C”―with compliance dominating. The overlap and impact is often focused on a sample of applications deemed critical for Sarbanes Oxley compliance. Now, after numerous years of Sarbanes Oxley, the overall understanding of the IT landscape and general computing controls has raised the knowledge level of key groups.