Well, it is 75% already there with 3 of the 4 letters a G, an R and a C. Now just swap the IT with e and you have it. That is my contention.
There is much practitioner and market analyst discussion dealing with the most appropriate approach to deploying an enterprise-wide GRC (eGRC) program within an organization. Market analysts like Forrester and Gartner define the GRC ecosystem as composed of an "enterprise GRC platform" and then finance, operations and IT GRC programs associated with the platform. Their approach, in my few words, is that organizations should build their various programs like finance GRC on an eGRC platform by utilizing the common GRC capabilities of the eGRC platform and thus allowing each program, as it is developed, to share its information with other business units and leverage the work of the others within the organization. Synergy + cooperation = efficiency = decreased bottom line costs.
As I stated above, my contention is that there is a variation on the above approach and organizations may be able to achieve an eGRC program more effectively if they use an IT GRC program as their basic foundation and expand off that. This contention is based on the following:
>> The IT part of an organization has a significant set of GRC responsibilities of its own for the core services it provides such as communications (ex: email), information management and storage, and application infrastructure. These services involve several compliance issues and constitute significant operational risk if they do not perform as expected.
>> IT is the control owner of one of the largest critical mass of controls within an organization and they will greatly benefit themselves and their internal stakeholders by any automated GRC processes and control testing.
>> IT touches most organizational operational processes in some way, so many of the other GRC programs (finance, operations) utilize IT core components within their business processes. For example, to make effective tradeoffs about IT risk, a business executive needs to know what happens to the business when technology fails or underperforms.
Based on the above, an IT GRC program will need many of the same capabilities as an eGRC platform, and analysts agree that an IT GRC program needs the following capabilities:
- Central repository of IT mandates, controls and control testing
- Policy and controls library
- Policy distribution
- IT asset repository
- Remediation management
- Compliance reporting
- IT risk assessment
- IT control self-assessment
- Automated control monitoring.
It is not by coincidence that these capabilities map very closely to the desired capabilities of an eGRC program "" I think all you need to do is substitute "enterprise" for "IT". There you go, an eGRC platform. Q.E.D.
OK, I will agree with some of the groans I just heard out there that eGRC has a different set of users than the IT department and has a much larger scope for risk management and compliance. But, I will also point out that IT may be the most fertile and cost-effective part of your organization to start an eGRC program. They have the need, they have the widest scope, and they can provide the greatest impact than any other part of the organization. They also have the experience in introducing new methodologies to the organization and scaling them to enterprise use.