This article can also be found in the Premium Editorial Download "Information Security magazine: Finding affordable encryption options for laptop data security."
Download it now to read this article plus other related content.
Despite the fact that GRC has been around in some form for several years now, it's still very much in its infancy in terms of widespread adoption. Much like COBIT, another popular governance-based framework that languished for years in relative obscurity until it helped provide clarity in the age of SOX, GRC is poised to become a key business strategy in the near future. While no one is certain what the next round of banking legislation is going to entail, one thing is almost certain: better risk management activities are going to be expected if not required. "Hopefully companies will see the need to expand GRC to not only control compliance risk, but as a means to help manage the overall success of their organization," Quasar's Bachman says.
Also expect significant advances in the availability of automated GRC solutions. While they've been around for a while, they've been slow to make significant headway as a straightforward GRC solution; that's going to change. Wider adoption of GRC as a framework combined with better integration of regulations into GRC software will make it easier to see the benefits of implementing a software solution. There are already solutions that highlight interdependencies between various regulations when entering controls, thus ensuring economies of scale are identified automatically; this capability will continue to improve. "If today we are just beginning to make the links between mandated compliance processes and GRC tool methodologies, then in the next couple of years we'll see this bond strengthening," Cougias says. And in the very near future those capabilities will improve as GRC tools begin to pass information to other applications to update them for compliance, he adds.
Perhaps the biggest changes to GRC will be in how it's understood and relied upon. The last thing an enterprise is willing to consider while operating under the constraints of current economic conditions is spending money on or committing resources to something that's not critical to their bottom line. However, as the various elements of GRC become better understood and practitioners become more adept at articulating their value proposition to their management, you can expect that to change. According to the OCEG GRC Capability Model Redbook 2.0, "a high-performing GRC system will always deliver value." Once that becomes an accepted fact and not just a line embedded within documentation, GRC will have finally arrived.
David Schneier is managing director at consulting firm R.I.S.C. Associates with extensive experience in developing, implementing and managing compliance programs. Send comments on this article to firstname.lastname@example.org
This was first published in June 2010