Governance, Risk, and Compliance or "GRC" is an increasingly recognized term that reflects a new way organizations focus on and manage an integrated approach to these three areas.
According to Michael Rasmussen, an industry analyst at Forrester Research, the challenge in defining GRC is that individually each term has "many different meanings within organizations. There is corporate governance, IT governance, financial risk, strategic risk, operational risk, IT risk, corporate compliance, Sarbanes-Oxley (SOX) compliance, employment/labor compliance, privacy compliance . . . you get the picture."
According to Scott L. Mitchell, Chairman & CEO of the Open Compliance and Ethics Group (OCEG), there "are substantially more processes than governance, risk and compliance playing critical roles in GRC. But 13-letter acronyms rarely catch on."
Typically GRC solutions are Enterprise Software that enables businesses to comply with legal requirements. Examples for such requirements are regulation like the Sarbanes-Oxley Act, Basel II and local requirements for occupational health and safety. Failure to meet these standards can lead to severe legal penalties or civil liability.
Initial interest in GRC was driven by the Sarbanes-Oxley Act, but GRC software requirements have changed and now are seen as a means to achieve Enterprise Risk Management. Specifically to evolve from managing risk as a transaction or compliance activity to adding business value by improving operational decision making d strategic planning.
GRC software becomes the governance platform for defining, maintaining, and monitoring risk.
OCEG, a non-profit organization that provides a performance framework for integrating governance, compliance, risk management and culture, is one of the leading voices for GRC. OCEG has developed a Measurement and Metrics Guide (MMG) for assisting in measuring and reporting on the performance of compliance and ethics programs. This measurement platform advocates that program objectives be aligned with and contribute to the enterprise objectives in a tangible way. In order to achieve desired program outcomes, an organization should design processes and practices that effectively measure program dimensions on three key dimensions: effectiveness, efficiency and responsiveness.
i-flex solutions, is the first company to issue a GRC Framework for the financial services industry, according to BobsGuide, an industry news site.
Wednesday, June 18, 2008
Thursday, May 22, 2008
IT Governance, Risk, and Compliance (ITGRC)
Businesses rely on their IT departments and resources for competitive advantages and business to business transactions and cannot afford to apply to IT anything less than the same level of commitment they devote company assets. IT offers extraordinary opportunities to transform the business; however IT must deliver value and enable the business, and IT-related risks must be mitigated. Governance of IT, Information Security, and Risk Management encompasses several initiatives for executive management. At a glance, they must be aware of the role and impact of IT on the enterprise, define constraints within which IT professionals should operate and measure performance, understand risk and obtain assurance.
Corporate Governance:
Before discussing Information Technology and Security Governance, one must look at that broader issue of Corporate Governance in the enterprise. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.
Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.
Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.
IT Governance Role:
IT governance is the responsibility of the board of directors and executive management. It is an integral part of corporate governance and consists of the leadership and organizational structures and processes that ensure that the organization’s Information Technology sustains and extends the organization’s strategies and objectives. Also, IT governance is the term used to describe how those persons responsible for governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied within the business will have an immense impact on whether the business will attain its vision, mission or strategic goals. In today’s economy, and with most businesses reliance on IT for competitive advantage, businesses simply cannot afford to apply to their Information Technology anything less than the level of commitment they apply to overall governance.
Who is Responsible for IT Governance and Risk Management:
Board of Directors (BODs) and executive management have a joint responsibility to protect shareholder value. This responsibility applies just as stringently to valued information assets as it does to any other asset. BODs and management must recognize that securing information and information assets is not just an investment; it is essential for survival in all cases and for many it guarantees competitive advantage. Additionally BODs and management must accept the responsibility of ensuring that:
In Closing:
IT governance covers a number of activities for the board and for executive management, such as becoming informed of the role and impact of IT on the enterprise, assigning responsibilities, defining constraints within which to operate, measuring performance, managing risk and obtaining assurance.
IT Governance is focuses two categories: (1) IT’s delivery of value to the business and (2) mitigation of IT risks. In order to have an effective IT and Security Governance strategy businesses must address the following questions:
Always remember that managing information security risks as part of operational risk involves establishing an effective IT governance and control architecture.
Thank you
James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Corporate Governance:
Before discussing Information Technology and Security Governance, one must look at that broader issue of Corporate Governance in the enterprise. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.
Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.
Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.
IT Governance Role:
IT governance is the responsibility of the board of directors and executive management. It is an integral part of corporate governance and consists of the leadership and organizational structures and processes that ensure that the organization’s Information Technology sustains and extends the organization’s strategies and objectives. Also, IT governance is the term used to describe how those persons responsible for governance of an entity will consider IT in their supervision, monitoring, control and direction of the entity. How IT is applied within the business will have an immense impact on whether the business will attain its vision, mission or strategic goals. In today’s economy, and with most businesses reliance on IT for competitive advantage, businesses simply cannot afford to apply to their Information Technology anything less than the level of commitment they apply to overall governance.
Who is Responsible for IT Governance and Risk Management:
Board of Directors (BODs) and executive management have a joint responsibility to protect shareholder value. This responsibility applies just as stringently to valued information assets as it does to any other asset. BODs and management must recognize that securing information and information assets is not just an investment; it is essential for survival in all cases and for many it guarantees competitive advantage. Additionally BODs and management must accept the responsibility of ensuring that:
- IT Governance is aligned with the overall Corporate Governance structure within the enterprise.
- IT Governance includes an alignment with the Enterprise Risk Management Program, which is a responsibility of the BODs and Management
- There is a balance of the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their enterprise’s business strategy and objectives.
- Risks and threats are identified, categorized and mitigated to acceptable levels.
- IT Governance obtains coordinated and integrated action from the top down.
- IT investments are not mismanaged or misdirected.
- IT Governance rules and priorities are established and enforced.
- Trust is demonstrated toward trading partners while exchanging electronic transactions.
In Closing:
IT governance covers a number of activities for the board and for executive management, such as becoming informed of the role and impact of IT on the enterprise, assigning responsibilities, defining constraints within which to operate, measuring performance, managing risk and obtaining assurance.
IT Governance is focuses two categories: (1) IT’s delivery of value to the business and (2) mitigation of IT risks. In order to have an effective IT and Security Governance strategy businesses must address the following questions:
- What decisions must be made to ensure effective management and use of IT?
- Who should make these decisions?
- How will these decisions be made and monitored?
Always remember that managing information security risks as part of operational risk involves establishing an effective IT governance and control architecture.
Thank you
James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Thursday, May 15, 2008
Concept of Governance, Risk, and Compliance (GRC) and its impact on your business
In today’s blog, we will discuss the concept of Governance, Risk, and Compliance (GRC) and its impact on your business
Corporate Governance:
Before discussing Governance, Risk and Compliance, one must look at that broader term of GRC – Corporate Governance. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.
Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.
Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.
My definition of GRC:
As it relates to GRC, industry professionals and organizations have defined GRC in many ways. Not to say that they are wrong in defining the GRC concept but GRC in itself means different things in many ways. As such to minimize the ambiguity of the process, I have defined as the following:
A common business management framework that requires strategic collaboration and architecture to bring an enterprise view across governance, risk, and compliance initiatives within a company.
Let’s break out each letter of the process and I will share some insight to each. You really need all three to achieve good corporate governance.
Governance:
It has been a common myth that BODs and senior level managers are responsible for implementing GRC. I won’t get into the roles and responsibilities of GRC participants, but rather articulate the effectiveness of an Integrated GRC strategy. For GRC to be effective in today’s complex business environments, organizations must involve all business process areas in order to achieve an effective integrated GRC strategy. Based on experience, the effective GRC strategy included business unit representation from BODs, Audit Committees, Internal Audit, Legal, Risk Management, Compliance, Human Capital, Information Technology, Sales, Marketing and Strategist…you get the picture. In short, you need to include all key and critical business units in your GRC strategy. GRC is about the whole organization and not just a few parts of it.
James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Corporate Governance:
Before discussing Governance, Risk and Compliance, one must look at that broader term of GRC – Corporate Governance. Corporate Governance is defined as a structure for determining organizational objectives and monitoring performance to ensure that business objectives are attained. Corporate Governance became a dominant business topic in the wake of many corporate scandals – Enron, WorldCom and Tyco, and is becoming increasing popular today in the wake of TJX credit card breach case. Companies generating interest in corporate governance is not new, but the severity of the financial impacts of the many scandals undermined the confidence of the investment community and corporate stakeholders.
Good corporate governance is important to investors and shareholders. As a matter of fact, many investors, before making an investment decision, validates and ranks the company’s corporate governance on par with its financial indicators. As a matter of fact, some investment firms are prepared to pay large premiums for investments in companies with high governance standards.
Whilst there is no single model of good corporate governance, it is noted that in many countries corporate governance is vested in a supervisory board that is responsible for protecting the rights of the shareholders and stakeholders. The board, in turn, works with a senior management team to implement governance principles that ensure the effectiveness of organizational processes.
My definition of GRC:
As it relates to GRC, industry professionals and organizations have defined GRC in many ways. Not to say that they are wrong in defining the GRC concept but GRC in itself means different things in many ways. As such to minimize the ambiguity of the process, I have defined as the following:
A common business management framework that requires strategic collaboration and architecture to bring an enterprise view across governance, risk, and compliance initiatives within a company.
Let’s break out each letter of the process and I will share some insight to each. You really need all three to achieve good corporate governance.
Governance:
Corporate governance requires processes for providing Boards of Directors, Audit Committees, and Corporate Management with oversight of business culture, enterprise risks, policies, processes, laws, and regulations.Risk:
Businesses should identify, analyze, assess, mitigate, and manage business and information risks and incorporate them in their business processes.Compliance:
Compliance is about adhering to external laws, corporate policies and procedures, and regulations while providing a comprehensive framework that handles virtually all compliance regimes and control frameworks.GRC Collaboration:
It has been a common myth that BODs and senior level managers are responsible for implementing GRC. I won’t get into the roles and responsibilities of GRC participants, but rather articulate the effectiveness of an Integrated GRC strategy. For GRC to be effective in today’s complex business environments, organizations must involve all business process areas in order to achieve an effective integrated GRC strategy. Based on experience, the effective GRC strategy included business unit representation from BODs, Audit Committees, Internal Audit, Legal, Risk Management, Compliance, Human Capital, Information Technology, Sales, Marketing and Strategist…you get the picture. In short, you need to include all key and critical business units in your GRC strategy. GRC is about the whole organization and not just a few parts of it.
James Sayles
MBA, BS, CISSP, CISA, CISM
Vice President, Chief Risk and Compliance Officer
Favored Solutions
Subscribe to:
Posts (Atom)