IT governance, IT risk management and IT compliance are three distinct disciplines that in the past have existed in silos within organizations.
Today, many organizations no longer see these activities as individual, one-time projects handled in separate parts of an organization. Many commonalities and interrelationships exist between these three disciplines.
Adopting a unified
Defining the components of IT GRC
Business imperatives, increased regulatory pressure and customer demands are forcing many CIOs and CISOs to adopt a structured, enterprise-wide approach to IT GRC. Today, enterprises are acknowledging that a mishmash of technologies and processes working in silos inevitably leads to inefficiency, increased costs and present higher risks to the organization.
There is currently a lot of confusion on what exactly IT GRC is and what subcomponents to consider when establishing a program. Although the specifics of developing an IT GRC program will vary based on the individual circumstances of every organization, having common definitions and broad objectives for each area will establish a high-level approach for the program.
IT governance establishes decision structures and tracking mechanisms. At its most basic definition, IT governance primarily determines how decisions are made, who makes the decisions, who is held accountable and how the results of decisions are measured and monitored. Although many organizations have some form of IT governance in place, the governance processes are ad hoc, siloed and informal.
Organizations need to first ensure that they have the appropriate governance structures in place; structures such as technology steering committees, architecture review boards and project review boards.
The second step is to ensure that the appropriate processes exist to guarantee consistency and transparency. For example, processes for proposing new projects, approving new IT investments and prioritizing IT projects.
Third, organizations need to ensure that there is appropriate communication and accountability to measure the outcomes of IT decisions, whether these decisions are technical, monitory, human resource, etc.,. Project status reports, ROI analysis and balanced scorecards would be examples of such communication and monitoring.
IT risk management helps mitigate adverse effects and identifies opportunities. IT risk management activities go far beyond traditional IT security responsibilities. As IT environments have become more complex and business reliance on technology has increased, CIO and CISOs are faced with a daunting challenge. Not only are they asked to deal with ever-increasing and multifaceted threats, but they are also challenged to provide increased capabilities within their businesses. That means successfully adapting to changing business needs and enhancing technology capabilities while guarding against adversity. An organization's technology architecture must support this effort though greater flexibility, automation and efficiency.
IT compliance establishes and monitors IT controls. IT compliance should ensure that an organization is not only adhering to laws and regulations, but is also taking into account corporate responsibilities and industry standards. An organization should also be mindful of corporate intellectual property protection responsibilities and develop a control framework based on industry standards such as COBIT.
Compliance activities include conducting regulatory research, mapping control requirements to regulations, designing IT controls, advising IT and third parties on control requirements and assessing and reporting compliance with regulatory and other requirements.
Many organizations are moving toward a common control framework that can meet multiple regulatory, legal and audit requirements simultaneously. Many software vendors now offer products with built-in mappings for multiple regulations, frameworks and management.
Take a unified approach to align IT GRC initiatives. IT GRC initiatives have traditionally been scattered across organizations without any coordination or synchronization. It's not uncommon for different business areas to develop their own solutions for the same requirement or for IT to deploy multiple technologies to address a common issue. These separate initiatives create inefficiency and make it very hard to assess and manage risks holistically.
As a result, there is a growing demand for products that help IT organizations effectively break down these silos and create a centralized approach to managing risk and compliance while simultaneously ensuring good governance.
Ensuring IT GRC success
To make an IT GRC program effective, CIOs and CISOs need to:
- Understand dependencies and provide a common approach. Governance, risk and compliance
functions depend on each other to be successful. The governance program measures against the
control frameworks and IT compliance requirements to implement the IT strategy. The compliance
program utilizes IT and business risks to rationalize the controls it needs to execute and
maintain. Finally, the risk program determines risks based on IT governance activities and utilizes
control activities and measurements from the compliance program to determine the existing risk
profile for an organization. All three programs running in parallel, but in coordination with each
other, are required for an effective GRC program.
- Unify controls for IT risk and compliance. The processes for identifying and reporting
IT risk and IT compliance may be different, but a common control framework can be to establish and
measure security controls. Establishing a common control framework that fulfills the internal and
external compliance requirements, while managing IT risk to corporate resources reduces duplication
of effort, ensures consistency and breaks down the silos.
- Enable IT governance by establishing accountability. Establishing accountability is an
essential part of an IT GRC strategy that many organizations struggle with. The first step for
establishing accountability is to ensure that roles, responsibilities, governance structures and
processes are clearly articulated, communicated, and understood by a board of directors, executive
management, business management, IT management, employees and shareholders. The second step is to
ensure appropriate measurement and reporting mechanisms are in place in order to monitor and
measure critical areas and adjust the course based on those measurements.
- Align technology and processes for efficiency and consistency. Although technology plays
an important part in automating, aggregation, analysis and reporting of IT controls, it's not the
only ingredient CIOs and CISOs need to establish a core set of processes and define touch points
between IT governance, risk and compliance activities. Once those processes are established, only
then can technology help automate and augment those processes.
Coordinating and pushing a coherent IT GRC approach across different parts of the organization requires significant effort and persistence. The benefits may not be evident right away, but having a structured program ensures long-term benefits such as enhancing IT governance capabilities, helping mitigate IT threats more effectively and simplifying regulatory compliance.
About the author
Khalid Kark is a principal analyst at Forrester Research where he contributes to its offerings for security and risk management professionals. He is a leading expert in security management, compliance, best practices and services. For more information on Khalid or to review additional research, please visit: www.forrester.com/rb/analyst/khalid_kark.
This was first published in January 2008