IT Compliance Institute, November 13, 2007:

Best Practices

GRC Solutions: Tips for Tipping False Idols

New platforms and tools promise to solve companies’ governance, risk, and compliance (GRC) challenges, but managers should beware the hype. Ad hoc frameworks, narrow solution scopes, and too-tactical functionality often characterize so-called enterprise solutions. Experts offer insights to help you navigate the GRC hype.

By Mathew Schwartz

What is GRC?

Vendors are rushing to offer so-called governance, risk and compliance (GRC) platforms. This software purports to link three related yet somewhat disconnected corporate initiatives: governance of management, business and IT decisions; managing financial, business, and technology risks to the business; and ensuring compliance with various business, finance, privacy, and IT regulations.

The GRC software and services market is hot: AMR Research predicts that companies’ GRC-related spending will near $30 billion this year. Yet many industry experts argue that technological approaches—dubbed GRC or otherwise—are not actually the frontline solution for solving governance, risk, or compliance challenges.

In other words, don’t define GRC as technology. Rather, "GRC is multiple roles working together in a common framework, collaboration, and architecture to bring an enterprise view across governance, risk, and compliance activities throughout the organization," says Michael Rasmussen, a Forrester Research analyst who focuses on governance, risk, and compliance.

Thus how you define GRC, and design a framework for managing GRC, necessarily depends on which particular governance, risk, and compliance issues you need to address.

Risk: The New Compliance

If the very definition of GRC is largely relative, where does that leave so-called GRC products? Indeed, given the sheer number of products and consulting services labeled as GRC-related, one might believe plug-and-play solutions existed to solve everything from operational and credit risk, to all regulatory compliance and IT governance requirements.

Don’t believe the marketing hype. "Before, certainly everyone was attaching ‘compliance’ to their products," says Scott Crawford, research director at Enterprise Management Associates (EMA). "Now it’s risk, and we’re seeing compliance get attached to that sometimes too."

As with "compliance software," remember that a given product’s ability to directly solve a GRC-related issue may be tenuous. "Three to four years ago, all the technology vendors were starting to say compliance, compliance, compliance—my solution helps you comply with HIPAA, or GLBA, or SOX, or whatever it was," says Security Innovation’s Michael Gavin, formerly a security industry analyst with Forrester. Many buyers, he cautions, discovered such products addressed only "a tiny piece of the compliance puzzle they were solving." Furthermore many organizations selected technology to address an IT compliance problem, without first fixing underlying business practices—an inefficient approach, at best.

Fast-forward to today: "A lot of those vendors have found that governance and risk management is the new buzz phrase that they need to use to get the attention of the buyer’s ear," he says. "Hopefully, buyers learned their lesson."

Avoiding the Next ChoicePoint

Given the hype, GRC may appear to be a vendor-promulgated concept. In fact, many analysts argue that chief executives and other C-level business stakeholders are firmly behind the GRC push, because they need better intelligence on all of the risks facing their business.

"The reason they’re highly motivated? Because a lack of doing this has been directly implicated in what happened to ChoicePoint and CardSystems," says EMA’s Crawford. Namely, both of those organizations had advanced IT security practices, "co-existing side-by-side with a business model predicated on the high availability of sensitive information." As the subsequent data breaches illustrated, taking a siloed approach to managing IT and business risks can be disastrous.

Survey the Environment

Hence, business stakeholders want to see the big GRC picture. "So the question is, how do you most strategically place risk controls and make management decisions based on the best information you have at that point in time?" asks Crawford. "A lot of GRC platforms are arising to provide those details—what are the objectives we have to meet; what do we have to do to be compliant; what are the risks we see?—and then map them to regulatory requirements as well."

To evaluate the effectiveness of a given GRC platform, Crawford offers three tips. Namely, the platform should reduce the total costs of: 1) compliance, plus risk management—whether compliance-related or not; 2) preparing for an audit, as well as the audit process in general; and 3) maintaining a mature risk posture.

What exactly are executives' GRC objectives? According to a recent survey from risk consulting firm Protiviti, 125 executives said a GRC framework should cover operational risk (89 percent), credit risk (70 percent), market risk (65 percent), as well as regulatory compliance (59 percent) and IT governance (38 percent).

Interestingly, the top GRC-related tool executives rely on might seem mundane: surveys. In fact, 77 percent of the surveyed executives said a GRC platform must facilitate "risk and control self-assessments." In other words: to understand risk, first survey relevant managers about all existing risks, in-place controls to mitigate those risks, and ask them to estimate control effectiveness. Also keep respondents honest, and auditors happy, by maintaining a paper trail of their responses. Finally, prioritize the risks, and begin mitigating the top threats first, while also tracking those efforts, to meet compliance-reporting requirements.

CIO As Facilitator

As mentioned, when it comes to managing risk, "the business stakeholders are ultimately responsible," says Crawford. Yet where does this leave IT?

"Traditionally, we usually think of the CIO as the one being tasked with IT risk decisions," he says. "In fact, the CIO is ultimately responsible for service level agreements, and ensuring the availability of critical systems." Accordingly, the CIO’s role—or for that matter the CISO’s role—is to be a facilitator, "helping to build a consensus on risk management priorities for high availability, or security."

As the aforementioned survey suggests, however, today’s executives may not be as concerned with IT risks as with business risks—only 38 percent classified IT governance as being part of a GRC framework. Experts say that for a GRC framework to be effective, it must encompass IT-related risk, governance, and compliance concerns. Yet as more executives begin to appreciate IT risks, don’t be surprised if some business risks trump IT risks. (Remember ChoicePoint?)

IT Culture Shock

IT personnel may need to adjust their thinking accordingly. Indeed, GRC may come as a shock to technologists used to remediating every last technology vulnerability or critical software risk as rapidly as possible. As an example, Crawford cites a large company which recently commissioned a vulnerability assessment. When presented with a list of the specific vulnerabilities, the CIO said he wasn’t going to fix them, because the likelihood of his getting penalized for not fixing them was so low.

"To say that a certain amount of IT risk is acceptable, relative to the business? That’s a new concept," he says.

Welcome to the new GRC world order.

Mathew Schwartz is a former contributing editor for the IT Compliance Institute. You can contact him about this and other articles at Mat@PenandCamera.com.

This article originally appeared in IT Compliance Insitute and is reprinted by permission of 1105 Media, Inc.