March 07, 2011, 8:45 PM — As enterprises approach a high level of maturity in their IT governance, risk and compliance (GRC) programs, they face a conundrum: How can they effectively implement and manage policies and their supporting controls to maintain a strong risk posture? To add to the difficulty, the environments they manage are often widely distributed and subject to multiple regulatory requirements and internal audit requirements, and must adapt to changing business needs. GRC tools are designed to help.
"It's mostly about the maturity of the organization," says Paul Proctor, vice president of security and risk management at Gartner. "Are you ready for a more formalized and automated way of tracking controls? If you have your act together, you should be looking at this."
Special Report on GRC
See more in IT GRC dos and don'ts
and eGRC vs. IT GRC
These products help automate GRC initiatives that are either largely manual or beyond the capabilities of most enterprises. They enable organizations to:
* Create and distribute policies and controls and map them to regulations and internal compliance requirements.
* Assess whether the controls are actually in place and working, and fix them if they are not.
* Ease risk assessment and mitigation.
The GRC market is broadly divided into enterprise and IT products, though there is considerable overlap and the distinction is far from clear. This article focuses on IT operations, the problems organizations face and how IT GRC tools can help.
Analysts say the leading companies that are most clearly identified as IT GRC include Agiliance, Modulo, RSA Archer, Rsam and Symantec, but there are wide differences even among their tools. Expect to spend considerable time defining your requirements and matching them against the capabilities and focuses of the various tools.
The GRC Morass
Large organizations, in particular, struggle with a complex burden of IT policies and controls that can directly affect corporate risk. Almost all enterprises are subject to multiple sets of regulations--upwards of 20 in some cases--that require implementing and managing policies and their supporting controls, preparing and executing audits, and remediating risks. Regulations may apply across the enterprise or to specific business units.