You are not authorized to post comments.

Automating governance, risk and compliance: 10 key considerations

By Ted Frank, Axentis | Business Add a new comment

June 28, 2006, 9:56 AM — Effectively automating the breadth of governance, risk and compliance (GRC) requires a journey few have completed. Most GRC efforts are executed within silos of specific, discrete compliance requirements, whether it is Sarbanes-Oxley or HIPAA. Even when addressed broadly, GRC has often been treated as a "nice-to-have" add-on to other projects or programs. Exacerbating this phenomenon is the fact that GRC practitioners have traditionally lacked the political clout to secure resources and the experience in building technology business cases -- all while being charged with achieving organizational compliance. The good news is that times have finally changed. With the heightened focus on risks and regulations, GRC is now being transformed into a formal category of automation.

Following are ten key considerations that should help IT and GRC practitioners kick off the debate as well as some simple steps for early implementation of a successful GRC program.

1. A Starting Point

First, complete a comprehensive inventory. What GRC programs exist? Who is accountable for each of them? What tools are being used? What processes are already in place? Who is mandating and evaluating them? How is GRC baked into compensation practices?

It is remarkable how broadly risk can impact an organization when financial, legal, operational and regulatory risks are included in the definition. Even more remarkable is how difficult it is to quickly secure solid answers to these questions. Compiling an inventory of explanations is the first step in understanding the organization's GRC ecosystem and getting a feel for its overall health and effectiveness. Gather this base information in advance of a technology discussion because it will allow the team to better define impact across a broad set of issues and drive benefit to more stakeholders.

2. Document the organization's current GRC vocabulary

One of the most basic and significant problems many organizations face is the range of definitions and perceptions surrounding common GRC terms. Each perception (or definition) is influenced by many experiences, issues or projects, which leads to countless assumptions being made in even the simplest GRC discussions. Technology has always treated compliance as many individual, secondary considerations instead of a set of processes to be collectively considered. Correcting the situation begins with getting your arms around who assumes what in the organization.

Compliance Management - Defined

Compliance management is the implementation of processes designed to control any type of risk and meet voluntary or mandated expectations of performance. Prominent mandates that fall under GRC include Enterprise Risk Management, Sarbanes-Oxley, HIPAA, Corporate Code of Conduct, Anti Money Laundering statutes, Operational Risk and COBIT.

3. Define the GRC vocabulary to be used going forward

Before any real dialogue can begin around GRC, a standardized baseline vocabulary must be established throughout the organization. The key terms required to carry on a productive conversation should be clear and easy to remember, with well thought out, simple definitions. Simple candidates include obvious terms like "risk," "compliance" and "governance" but also less obvious terms such as "loss" or "control." Once established, these definitions should be communicated to all involved and immediately put into practice. These terms should also be reiterated throughout training, developed through ongoing education and implemented with new personnel. For a sample GRC vocabulary, click here.

4. Adopt a process standard that can be consistently applied across GRC programs

It is essential for practitioners and technologists to decide on a consistent process model that facilitates deployment of a solution meeting a broad array of GRC processes/needs. Most people involved in GRC for the first time believe that their particular mandate is unique. As one of the most common failure points in GRC, this issue can be linked to various historical problems, ranging from inconsistent processes to the development of countless single use, isolated technologies that ultimately fail to deliver significant value. Best practice GRC processes are now emerging, however, presenting new opportunities to more effectively manage this far-reaching set of domains. One of the most complete standards is published by the Open Compliance and Ethics Group (OCEG). To see examples of these click here.

From CIO.com

From CSO Online

iPhone 5 growing up, but not out, this fall

10 comments
New photo of Wii U tablet controller leaks ahead of E3

6 comments
Java creator unhappy with Oracle trial outcome

5 comments
Microsoft dumps 'Aero' UI in Windows 8, 'Metro-izes' desktop

4 comments
Money, not technology, drives cloud growth, IT shrinkage

3 comments

Older
|
Newer

ITworld LIVE

Managed IT Services has just joined ITworld
mahadragon has just joined ITworld
laryary has just joined ITworld
ladydianavf has just joined ITworld
countryboy092561 has just joined ITworld
Supporter of Freedom has just joined ITworld
The White Paper Gartner Magic Quadrant for Blade Servers was viewed
Maree Harris has just joined ITworld
S4GRU has just joined ITworld
The White Paper Dell 3-2-1 Reference Configurations: High-availability virtualization with Dell PowerEdge R515 servers was viewed
drtune has just joined ITworld
CuteAnjeli has just joined ITworld
The White Paper Virtualizing the Client - The HP Way was viewed
Alanf has just joined ITworld
The White Paper Forrester Whitepaper: IT Operations Managers Must Rethink Their Approach to Private Cloud was viewed
computer illiterate has just joined ITworld
The Webcast Navigating the Public Cloud was viewed
The White Paper Real-World Virtualization for Your Business eBook was viewed
The Webcast Improving Enterprise App Quality with MOTODEV App Validator was viewed
pratik.donde@gmail.com has just joined ITworld
The White Paper Five Myths of Cloud Computing was viewed
The White Paper What Developers Want: The End of Application Redeploys was viewed
zanymaria has just joined ITworld
Lee Tuck has just joined ITworld
The White Paper BI Optimization: Building a Better Business Case for BI was viewed
The White Paper 8 Critical Requirements for Secure Mobile File Sharing was viewed
The Webcast McCain Canada deployed BlackBerry PlayBook tablets with a custom application to their salesforce was viewed
The White Paper Insider's Guide to Buying a Business Phone System was viewed
The Webcast Verastream Host Integrator was viewed
The White Paper A Scalable, Reconfigurable, and Efficient Data Center Power Distribution Architecture was viewed

BusinessWhite Papers & Webcasts

Webcast On Demand

Delivery Management -- Extending Lifecycle Management

Date: Wednesday, June 20, 2012, 1:00 PM EDT Siloed organizations continue doing the wrong things and doing things wrong, leading to increased costs, project delays, lower quality, and time-to-market delays. Providing a collaborative platform where the whole organization can prioritize, share and manage deliveries with more transparency can help the organizations make more informed decisions at all levels, and greatly improve communications and traceability between teams. Hear from application lifecycle management experts how to increase delivery efficiency and effectiveness with a new approach to Delivery Management.

White Paper

Gartner: Magic Quadrant for Midrange and High-End Modular Disk Arrays

This Magic Quadrant represents vendors that sell into the end-user market with branded midrange and high-end modular disk array storage systems that support block-access protocols. Despite rather gloomy macroeconomic conditions worldwide and ongoing geopolitical unrest in the Middle East, the midrange and high-end modular disk array storage market grew 8.2% from 3Q10 through 2Q11, compared with the same period the year before. Propelled by technological innovation and enhanced scalability, this continued growth in vendor revenue supports the observation that IT executives are willing to invest in modern midrange and high-end modular disk storage systems to improve operational efficiency, to support deployments of virtualized IT infrastructures, and to address the impact of unabated terabyte growth.Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

White Paper

Seven Priorities for Integrated Network Management - How HP Intelligent Management Center Delivers an Enterprise-class Solution

This white paper describes the major requirements for network management solutions to help the organizations become more profitable, efficient and reliable.Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

Webcast On Demand

Operational Analytics - Changing the Competitive Dynamics of the Business

Date/Time: June 5, 2012, 11:00 a.m., EDT, 4:00 p.m. BST / 3:00 p.m. UTC Please join us for this webcast, as Dr. Barry Devlin, Founder and Principal, 9sight Consulting, describes what operational analytics can do for your business and reviews an architectural approach that will enable you to make it a reality.

White Paper

The Total Economic Impact of the HP 3PAR Storage

Forrester Research provides an analysis of four HP 3PAR storage customer implementations to quantify the efficiency and cost savings achieved over legacy storage platforms. On average, HP 3PAR storage customers achieved a 10.4 month payback period with a 55 % ROI over a 3-year evaluation period and a significant reduction in CapEx and OpEx over that same period as a result of thin provisioning, maintenance costs avoided and labor productivity gains.Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries.

See more White Papers | Webcasts