GRC Overview
Published: April 25, 2008 | Updated: October 10, 2008
Governance, risk, and compliance are potentially far-reaching and interwoven activities that require participation by everyone in the organization. Establishing a common understanding of such a broad topic can be challenging. To help clarify the subject, the following sections break down the scope of GRC and discuss:
- What defines IT GRC.
- Why the three activities are considered together.
- Different IT roles and their respective GRC perspectives.
- How GRC fits into the IT service lifecycle.
What Is GRC?
IT governance is a senior management–level activity that, when well performed, clarifies who holds the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated. Most organizations accomplish IT governance by creating groups, such as steering committees, that bring the right parties together to make decisions.
Organization-wide governance establishes, among other things, positive outcome and growth expectations, chosen avenues to improve customer satisfaction, new products, and market development—all areas where IT can make a significant contribution when all governance efforts are coordinated.
Governing activities happen whether planned or not. Lack of planned governance processes can result in arbitrary goal setting and decision making, political turf battles, and wasted resources from confused and conflicting efforts. Planned governance should result in:
- Consistent policies that work together effectively.
- Clear and accountable decision making with an agreed-upon plan for making tradeoffs.
- Well-communicated management objectives.
- Established expectations for performance and evaluating compliance.
- Clear expectations for acceptable behavior in pursuit of management’s goals.
Risk represents possible adverse impacts on reaching goals and can arise from actions taken or not taken. Organizations use governance processes to decide priorities and the level of effort that should go into reducing the likelihood and magnitude of risk impacts.
Good governance processes seek out risk and provide open discussions and clear approaches to addressing risk. A culture of risk management helps prevent willful ignorance of risk, or intentional concealment of risk, and reduces the number of unknown risks that may result in negative consequences.
Internal controls are the processes and systems that exist to address risks and to influence—or mitigate—potential outcomes. In the most general sense, internal controls provide the means by which management objectives are reliably achieved and, in doing so, contribute to positive outcomes for stakeholders.
Compliance is a process that makes sure individuals are aware of regulations, policies, and procedures that must be followed as a result of senior management’s decisions. Compliance is also the evaluation of what is actually happening in the organization compared with the intended results laid out by management’s objectives, policies, and regulatory requirements.
IT compliance efforts will be enhanced if the organization has clearly established and communicated expectations for IT and policies that must be followed, and if it has proactively developed ways to evaluate performance and decision making.
Factors external to organizations, such as regulations, standards, and industry best practices, have impact on how work is done. These factors are more effectively evaluated and implemented when adequate GRC processes are in place. For instance, there are a number of bodies and regulations concerned with data reliability and organizational trustworthiness. IT organizations may need to respond to a variety of regulatory bodies from the Securities and Exchange Commission (SEC) to the European Union (EU), and may need to address data management requirements and regulations as varied as the Health Insurance Portability and Accountability Act (HIPAA), the Data Protection Act, Basel I/II, and Sarbanes Oxley (SOX). GRC activities can help companies (and their IT departments) become:
- Better custodians of data.
- More aligned with regulations.
- Better equipped to achieve management objectives.
- Less susceptible to fraudulent acts.
Why Are These Activities Grouped Together as GRC?
The three practices that make up GRC—governance, risk management, and compliance—share common and interrelated tasks. Because governance, risk, and compliance have overlapping areas of responsibility and process, they are more effective when they are integrated and dealt with as combined practices. This decreases data islands and silos of activity that ultimately slow down organizational responsiveness and contribute to greater risk by obscuring risk identification and producing inadequate risk impact assessments. Combining can streamline processes and provide transparency and accountability in an organization. It accomplishes this by:
- Bringing the right groups of people together (governance) to clarify what needs to happen and evaluate what could get in the way (risk management).
- Helping the organization determine resource commitments (governance) needed to ensure its goals are achieved (risk management).
- Making it clear (governance and compliance) what processes and activities should or should not happen (risk management and compliance).
- Capturing and documenting processes and their results as evidence (compliance).
When an organization addresses IT GRC activities, several pivotal questions help establish context. Answering these questions most likely will require conversations with groups external to IT, such as internal audit, legal, compliance, and HR.
- What is our organization’s governance plan—who decides how and what to decide?
- What is our organization’s risk tolerance—where can we accept more risk, and in which areas should we be more cautious?
- Are there specific regulatory and compliance issues that apply to our industry?
- What is our compliance culture—that is, how do we determine that we’re doing what we said we would do?
By answering these questions and working on integrated GRC plans, the alignment of IT and business goals is improved because the right people are making the right decisions at the right time.
Who Should Care About GRC?
Although everyone in an organization is involved in IT GRC activities at some level, GRC requires three core groups to be effective: Executives, IT managers, and IT professionals. These three organizational roles have different concerns and involvement related to GRC.
The IT professional’s GRC role emphasizes applying the decisions that have been made through governance processes to day-to-day activities and procedures. IT professionals are focused on the compliance aspects of GRC and using in-depth technical knowledge to help identify and mitigate risks and to find ways to efficiently automate controls. They ensure that activities and systems operate within the guidelines that have been established in the GRC process. They have specialized knowledge that can be used to refine controls based on technological capabilities or constraints.
IT managers often participate in GRC groups that make trade-off decisions. A chief mandate for management is to translate strategic goals (established at the executive and board levels) into tactical and tangible directives and policies that will result in services, solutions, policies, and day-to-day activities. IT managers drive the translation of strategic goals into tactical goals, drive the analysis of risk to those goals, and drive identification of internal controls to mitigate those risks.
Finally, at the executive level, the CIO has responsibility for the entire GRC process within IT. The right structures must be established to bring the appropriate people together at the right time to effectively guide the realization of strategy. The CIO should make sure that risk management is part of the discussion in these governance forums as a tool to help inform choices and move toward a common denominator for making trade-off decisions.
In addition, the CIO must be aware of assurance (audit) functions, which evaluate objectives, internal controls, and their design and operating effectiveness. Audit provides findings and recommendations to the executive and board levels so that the organization will benefit from intelligent, intentional management. Similar assurance assessments help provide shareholders and other interested external parties a view into an organization’s functioning. CIO awareness of assurance findings ensures that the organization’s approach to governance is set at the top level—and that GRC activities are understood and used at every level.
What Is the Relationship of the GRC SMF to the IT Lifecycle?
Each phase of the IT service lifecycle has its own goals and activities. Although groups and people might vary by phase and activity and inputs and outputs might differ, the importance of having clarity about decision making, risk management, and ensuring compliance does not change.
In the Plan Phase, the goal is to make sure that the IT services offered to the business are valuable, predictable, reliable, and cost-effective, and that they respond to ever-changing business needs.
To help meet this goal, the GRC focus is on:
- Corporate strategy transfer to IT strategy.
- Governance structure and decision rights.
- Management objectives defined.
- Major risks to achieving objectives identified.
- General regulatory environment.
- Policy defined.
In the Deliver Phase, the goal is to make sure that those IT services that the business and IT have agreed on are developed effectively, deployed successfully, and ready for Operations.
In this phase, the GRC focus is on:
- Solution architecture supporting organizational requirements.
- Project stakeholders, methodology, and identified risks.
- The value realization process.
- The service development life cycle.
- Risk mitigation.
- Defining internal controls.
- Defining procedures.
In the Operate Phase, the goal is to make sure that deployed services are operated, maintained, and supported in line with the SLA targets set by the business and IT.
In this phase, the GRC focus is on:
- Procedures and control activities.
- Recording and documentation.
- Retention of evidence that the control operates as designed.
GRC creates organized process flows in all phases of the lifecycle by aiding decision making, balancing tradeoffs, grounding strategy by managing risks, and making sure risk management is appropriate for the activities at hand. By attending to these GRC activities, IT is better able to contribute to the long-term viability and improvement of the organization and is able to clearly state, “This is how we run IT and manage risk.”
GRC SMF Role Types
The primary Team SMF accountabilities that apply to GRC are the Management accountability and the Compliance accountability. The role types within these accountabilities and their primary activities within this SMF are displayed in the following tables.
Table 1. Management Accountability and Its Attendant Role Types
Role Type |
Responsibilities |
Role in this SMF |
IT Executive Officer |
|
|
IT Manager |
|
|
IT Policy Manager |
|
|
IT Risk and Compliance Manager |
|
|
Assurance and Reporting |
|
|
Change Manager |
|
|
Configuration Administrator |
|
|
Table 2. Compliance Accountability and Its Attendant Role Types
Role Type |
Responsibilities |
Role in this SMF |
IT Executive Officer |
|
|
IT Manager |
|
|
IT Risk and Compliance Manager |
|
|
IT Policy Manager |
|
|
Assurance and Reporting |
|
|
Goals of GRC
The overarching goal of GRC is to provide IT services that are effective, efficient, and compliant. Specifically, this involves:
- Establishing clear and effective decision making in the management of IT assets.
- Managing risk effectively.
- Complying with applicable policies, laws, and regulations.
Table 3. Outcomes and Measures of the GRC SMF Goals
Outcomes |
Measures |
Sound governance |
|
Effective risk management |
|
Compliance with regulations, laws, and policies |
|
Key Terms
The following table contains definitions of key terms found in this guide.
Table 4. Key Terms
Term |
Definition |
Compliance |
Processes that ensure IT’s conformance with governmental regulations, laws, and company-specific policies—in other words, a means to inform individuals regarding appropriate activity and also ensure that the organization is actually doing what it has said it will do |
Contingency |
A process that prepares an organization to respond coherently to planned outcomes as well as unplanned incidents |
Evidence |
Testable proof that policies and processes are working as expected |
Governance |
Governance specifies who should make decisions and how, how to communicate effectively and when that should happen, and how to track IT’s progress against business objectives |
IT assets |
Any company-owned information, data, intellectual property, system, or machine that is used in the course of business activities |
IT controls |
A specific activity performed by people or systems designed to ensure that business objectives are being met |
Mitigation |
Processes or activities that are established for the purpose of reducing the potential consequences of a risk by reducing the likelihood or impact of the risk |
Risk |
The possibility of adverse effects on business or IT objectives. Risk is measured in terms of impact, likelihood, and exposure |
Risk management |
An organization’s efforts to address risk in the IT environment
|
Relating Governance, Risk, and Compliance
Figure 2. The relationship between governance, risk, and compliance
From a process standpoint, GRC is different from many of the MOF SMFs. Its application is not, strictly speaking, a sequential flow—first A happens, then B, then C. Instead, as Figure 2 shows, it is three separate sets of processes—governance, risk, and compliance—any of which can take place simultaneously or in tandem with the other processes.
For ease of understanding, however, this SMF will discuss these interconnected activities as separate processes:
- Establish IT governance.
- Assess, monitor, and control risk.
- Comply with directives.
The following sections discuss these activities in detail. An in-depth discussion of specialized risk management related to security risk may be found in the Microsoft Security Risk Management Guide: https://www.microsoft.com/technet/security/guidance/default.mspx