GRC Overview

Published: April 25, 2008   |   Updated: October 10, 2008

 

Governance, risk, and compliance are potentially far-reaching and interwoven activities that require participation by everyone in the organization. Establishing a common understanding of such a broad topic can be challenging. To help clarify the subject, the following sections break down the scope of GRC and discuss:

  • What defines IT GRC.
  • Why the three activities are considered together.
  • Different IT roles and their respective GRC perspectives.
  • How GRC fits into the IT service lifecycle.

What Is GRC?

IT governance is a senior management–level activity that, when well performed, clarifies who holds the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated. Most organizations accomplish IT governance by creating groups, such as steering committees, that bring the right parties together to make decisions.

Organization-wide governance establishes, among other things, positive outcome and growth expectations, chosen avenues to improve customer satisfaction, new products, and market development—all areas where IT can make a significant contribution when all governance efforts are coordinated.

Governing activities happen whether planned or not. Lack of planned governance processes can result in arbitrary goal setting and decision making, political turf battles, and wasted resources from confused and conflicting efforts. Planned governance should result in:

  • Consistent policies that work together effectively.
  • Clear and accountable decision making with an agreed-upon plan for making tradeoffs.
  • Well-communicated management objectives.
  • Established expectations for performance and evaluating compliance.
  • Clear expectations for acceptable behavior in pursuit of management’s goals.

Risk represents possible adverse impacts on reaching goals and can arise from actions taken or not taken. Organizations use governance processes to decide priorities and the level of effort that should go into reducing the likelihood and magnitude of risk impacts.

Good governance processes seek out risk and provide open discussions and clear approaches to addressing risk. A culture of risk management helps prevent willful ignorance of risk, or intentional concealment of risk, and reduces the number of unknown risks that may result in negative consequences.

Internal controls are the processes and systems that exist to address risks and to influence—or mitigate—potential outcomes. In the most general sense, internal controls provide the means by which management objectives are reliably achieved and, in doing so, contribute to positive outcomes for stakeholders.

Compliance is a process that makes sure individuals are aware of regulations, policies, and procedures that must be followed as a result of senior management’s decisions. Compliance is also the evaluation of what is actually happening in the organization compared with the intended results laid out by management’s objectives, policies, and regulatory requirements.

IT compliance efforts will be enhanced if the organization has clearly established and communicated expectations for IT and policies that must be followed, and if it has proactively developed ways to evaluate performance and decision making.

Factors external to organizations, such as regulations, standards, and industry best practices, have impact on how work is done. These factors are more effectively evaluated and implemented when adequate GRC processes are in place. For instance, there are a number of bodies and regulations concerned with data reliability and organizational trustworthiness. IT organizations may need to respond to a variety of regulatory bodies from the Securities and Exchange Commission (SEC) to the European Union (EU), and may need to address data management requirements and regulations as varied as the Health Insurance Portability and Accountability Act (HIPAA), the Data Protection Act, Basel I/II, and Sarbanes Oxley (SOX). GRC activities can help companies (and their IT departments) become:

  • Better custodians of data.
  • More aligned with regulations.
  • Better equipped to achieve management objectives.
  • Less susceptible to fraudulent acts.

Why Are These Activities Grouped Together as GRC?

The three practices that make up GRC—governance, risk management, and compliance—share common and interrelated tasks. Because governance, risk, and compliance have overlapping areas of responsibility and process, they are more effective when they are integrated and dealt with as combined practices. This decreases data islands and silos of activity that ultimately slow down organizational responsiveness and contribute to greater risk by obscuring risk identification and producing inadequate risk impact assessments. Combining can streamline processes and provide transparency and accountability in an organization. It accomplishes this by:

  • Bringing the right groups of people together (governance) to clarify what needs to happen and evaluate what could get in the way (risk management).
  • Helping the organization determine resource commitments (governance) needed to ensure its goals are achieved (risk management).
  • Making it clear (governance and compliance) what processes and activities should or should not happen (risk management and compliance).
  • Capturing and documenting processes and their results as evidence (compliance).

When an organization addresses IT GRC activities, several pivotal questions help establish context. Answering these questions most likely will require conversations with groups external to IT, such as internal audit, legal, compliance, and HR.

  • What is our organization’s governance plan—who decides how and what to decide?
  • What is our organization’s risk tolerance—where can we accept more risk, and in which areas should we be more cautious?
  • Are there specific regulatory and compliance issues that apply to our industry?
  • What is our compliance culture—that is, how do we determine that we’re doing what we said we would do?

By answering these questions and working on integrated GRC plans, the alignment of IT and business goals is improved because the right people are making the right decisions at the right time.

Who Should Care About GRC?

Although everyone in an organization is involved in IT GRC activities at some level, GRC requires three core groups to be effective: Executives, IT managers, and IT professionals. These three organizational roles have different concerns and involvement related to GRC.

The IT professional’s GRC role emphasizes applying the decisions that have been made through governance processes to day-to-day activities and procedures. IT professionals are focused on the compliance aspects of GRC and using in-depth technical knowledge to help identify and mitigate risks and to find ways to efficiently automate controls. They ensure that activities and systems operate within the guidelines that have been established in the GRC process. They have specialized knowledge that can be used to refine controls based on technological capabilities or constraints.

IT managers often participate in GRC groups that make trade-off decisions. A chief mandate for management is to translate strategic goals (established at the executive and board levels) into tactical and tangible directives and policies that will result in services, solutions, policies, and day-to-day activities. IT managers drive the translation of strategic goals into tactical goals, drive the analysis of risk to those goals, and drive identification of internal controls to mitigate those risks.

Finally, at the executive level, the CIO has responsibility for the entire GRC process within IT. The right structures must be established to bring the appropriate people together at the right time to effectively guide the realization of strategy. The CIO should make sure that risk management is part of the discussion in these governance forums as a tool to help inform choices and move toward a common denominator for making trade-off decisions.

In addition, the CIO must be aware of assurance (audit) functions, which evaluate objectives, internal controls, and their design and operating effectiveness. Audit provides findings and recommendations to the executive and board levels so that the organization will benefit from intelligent, intentional management. Similar assurance assessments help provide shareholders and other interested external parties a view into an organization’s functioning. CIO awareness of assurance findings ensures that the organization’s approach to governance is set at the top level—and that GRC activities are understood and used at every level.

What Is the Relationship of the GRC SMF to the IT Lifecycle?

Each phase of the IT service lifecycle has its own goals and activities. Although groups and people might vary by phase and activity and inputs and outputs might differ, the importance of having clarity about decision making, risk management, and ensuring compliance does not change.

In the Plan Phase, the goal is to make sure that the IT services offered to the business are valuable, predictable, reliable, and cost-effective, and that they respond to ever-changing business needs.

To help meet this goal, the GRC focus is on:

  • Corporate strategy transfer to IT strategy.
  • Governance structure and decision rights.
  • Management objectives defined.
  • Major risks to achieving objectives identified.
  • General regulatory environment.
  • Policy defined.

In the Deliver Phase, the goal is to make sure that those IT services that the business and IT have agreed on are developed effectively, deployed successfully, and ready for Operations.

In this phase, the GRC focus is on:

  • Solution architecture supporting organizational requirements.
  • Project stakeholders, methodology, and identified risks.
  • The value realization process.
  • The service development life cycle.
  • Risk mitigation.
  • Defining internal controls.
  • Defining procedures.

In the Operate Phase, the goal is to make sure that deployed services are operated, maintained, and supported in line with the SLA targets set by the business and IT.

In this phase, the GRC focus is on:

  • Procedures and control activities.
  • Recording and documentation.
  • Retention of evidence that the control operates as designed.

GRC creates organized process flows in all phases of the lifecycle by aiding decision making, balancing tradeoffs, grounding strategy by managing risks, and making sure risk management is appropriate for the activities at hand. By attending to these GRC activities, IT is better able to contribute to the long-term viability and improvement of the organization and is able to clearly state, “This is how we run IT and manage risk.”

GRC SMF Role Types

The primary Team SMF accountabilities that apply to GRC are the Management accountability and the Compliance accountability. The role types within these accountabilities and their primary activities within this SMF are displayed in the following tables.

Table 1. Management Accountability and Its Attendant Role Types

Role Type

Responsibilities

Role in this SMF

IT Executive Officer

  • Sponsors IT GRC
  • Approves structures and overall processes
  • Uses metrics and benchmarking to evaluate GRC performance
  • Engages in decision making

 

  • Owns GRC processes guide and IT decision making
  • Ensures clear ownership and accountability
  • Clear trends in GRC performance
  • Ensures that improvement roadmap is in place

IT Manager

  • Manages governance processes
  • Identifies and engages GRC participants
  • Manages risk and IT business value realization dependencies
  • Owns business/IT relationship
  • Uses metrics to evaluate GRC performance

 

  • Ensures GRC is integrated into management decisions
  • Ensures that state of compliance is understood
  • Facilitates Business/IT alignment through GRC processes
  • Ensures that GRC metrics are used for reporting and improvement planning

IT Policy Manager

  • Understands GRC trade-off decisions and the resulting positions that are reflected in policy

 

  • Ensures that policies reflect results of GRC process and effectively direct organization toward appropriate activities

IT Risk and Compliance Manager

  • Manages overall risk management and compliance programs
  • Communicates GRC processes and requirements to organization

 

  • Ensures well-communicated GRC processes and expectations
  • Makes sure that individuals understand their GRC responsibilities and take action accordingly

Assurance and Reporting

  • Validates design and operating effectiveness of GRC structures and processes
  • Recommends changes for improvement

 

  • Endures that GRC is constantly under review and continually being improved

Change Manager

  • Manages the activities of the change management process for the IT organization

 

  • Ensures that GRC processes result in change that is understood
  • Ensures that risks are managed

Configuration Administrator

  • Tracks what is changing and its impact
  • Tracks configuration items (CIs)
  • Updates CMS

 

  • Ensures that GRC results in change that is approved and results in a known state at all times

 

Table 2. Compliance Accountability and Its Attendant Role Types

Role Type

Responsibilities

Role in this SMF

IT Executive Officer

  • Communicates IT strategy and approves IT management objectives
  • Approves policy
  • Establishes tone-at-the-top for the culture of control and compliance

 

  • Ensures that consistent progress toward strategic goals is achieved through appropriate and desired activities

IT Manager

  • Enforces policy communication and compliance
  • Evaluates policy adherence and effectiveness
  • Requests changes to policy or exceptions

 

  • Enforces compliance to directives and policies
  • Ensures predictable and reliable results that are achieved through appropriate means
  • Ensures that policy violations are addressed effectively and timely

IT Risk and Compliance Manager

  • Manages overall risk and compliance programs
  • Makes sure individuals are trained on and understand compliance mandates
  • Reviews unanticipated risk events and non-compliance issues to identify improvements to processes

 

  • Makes sure that risk and compliance efforts are coordinated and consistent with each other
  • Provides sufficient training and  preparation to maintain compliance
  • Ensures that unanticipated events are addressed

IT Policy Manager

  • Manages overall policy processes
  • Owns communication of policy to the organization and feedback on policy issues
  • Coordinates the management of policy exception requests

 

  • Makes sure that policies are clear, current, and well-understood so that they result in appropriate behavior

Assurance and Reporting

  • Investigates policy non-compliance and circumvention
  • Issues reports and recommends changes

 

  • Owns independent validation of compliance
  • Detects fraud or intentional unpermitted activity

Goals of GRC

The overarching goal of GRC is to provide IT services that are effective, efficient, and compliant. Specifically, this involves:

  • Establishing clear and effective decision making in the management of IT assets.
  • Managing risk effectively.
  • Complying with applicable policies, laws, and regulations.

Table 3. Outcomes and Measures of the GRC SMF Goals

Outcomes

Measures

Sound governance

  • IT activities yield expected returns on investment
  • Use of IT assets meets forecasts
  • Decision making is timely and does not require re-examination
  • Confidentiality, integrity, and availability of IT assets are congruent with business needs and directives
  • Polices are created and managed in a timely fashion

Effective risk management

  • Proactive identification and management of potential threats and vulnerabilities to the assets of the enterprise
  • Clear and documented process for identifying risk; determining impact and probability; prioritizing and managing through mitigation, transfer, or acceptance; and identifying appropriate controls and solutions
  • Confidentiality, integrity, and availability of IT assets

Compliance with regulations, laws, and policies

  • Management of the impact of laws and regulations on business value realization
  • Identification of applicable organizational policies, laws, and regulations
  • Design, development, and deployment of IT assets that support compliance to laws and regulations
  • Reporting of measurable controls for audit and management

Key Terms

The following table contains definitions of key terms found in this guide.

Table 4. Key Terms

Term

Definition

Compliance

Processes that ensure IT’s conformance with governmental regulations, laws, and company-specific policies—in other words, a means to inform individuals regarding appropriate activity and also ensure that the organization is actually doing what it has said it will do

Contingency

A process that prepares an organization to respond coherently to planned outcomes as well as unplanned incidents

Evidence

Testable proof that policies and processes are working as expected

Governance

Governance specifies who should make decisions and how, how to communicate effectively and when that should happen, and how to track IT’s progress against business objectives

IT assets

Any company-owned information, data, intellectual property, system, or machine that is used in the course of business activities

IT controls

A specific activity performed by people or systems designed to ensure that business objectives are being met

Mitigation

Processes or activities that are established for the purpose of reducing the potential consequences of a risk by reducing the likelihood or impact of the risk

Risk

The possibility of adverse effects on business or IT objectives. Risk is measured in terms of impact, likelihood, and exposure

Risk management

An organization’s efforts to address risk in the IT environment

 

Relating Governance, Risk, and Compliance

Cc531020.image2(en-us,TechNet.10).jpg

Figure 2. The relationship between governance, risk, and compliance

From a process standpoint, GRC is different from many of the MOF SMFs. Its application is not, strictly speaking, a sequential flow—first A happens, then B, then C. Instead, as Figure 2 shows, it is three separate sets of processes—governance, risk, and compliance—any of which can take place simultaneously or in tandem with the other processes.

For ease of understanding, however, this SMF will discuss these interconnected activities as separate processes:

  • Establish IT governance.
  • Assess, monitor, and control risk.
  • Comply with directives.

The following sections discuss these activities in detail. An in-depth discussion of specialized risk management related to security risk may be found in the Microsoft Security Risk Management Guide: http://www.microsoft.com/technet/security/guidance/default.mspx