CEOs continue to demand more from IT than ever before, but there continues to be a credibility gap with the performance of the IT group, and the technology it provides and maintains, said Tony Torchia, a Pittsburgh-based KPMG Partner and the firms IT GRC network services leader. At the same time, CIOs are often frustrated by their lack of participation in, and exposure to, the goal-setting of the business. By aligning IT governance with corporate governance in the context of a holistic approach to GRC, executives may begin to close the gap and realize the benefits of convergence.
David Hill, an analyst at the Mesabi Group, explains that GRC is actually a fairly new umbrella concept that can be applied to all levels of governance. Starting at the top, we have corporate governance, under that we have IT governance and under IT governance we have information (or data) governance, said Hill. IT governance, then, becomes but one aspect of a coordinated GRC program. IT governance is usually managed and directed by the CIO. The other areas, such as risk and compliance were typically addressed by other individuals such as a CISO, risk manager and chief compliance officer. Sometimes this led to a disconnection between the various functions.
OK. So what is GRC exactly? French Caldwell, a Gartner analyst, breaks it down the various elements as follows:
In a global KPMG study of executives, the top three reasons why they implemented a GRC program were to simplify overall business complexity (44 percent), reduce organizational risk exposure (37 percent) and improve corporate performance (32 percent). The reasons for the growth in acceptance of GRC are not hard to fathom. Vivian Tero, program manager for GRC Infrastructure at research house IDC, points out that IT governance tends to fall short of its goals when it is too project based and too narrowly focused on new software development, deployment, testing and implementation. Thus typical governance efforts in IT tend to be too tactical. GRC is an ongoing practice for managing risk and compliance, said Tero. The governance aspect deals with measuring and tracking accountability in the ongoing IT risk and IT compliance activities.
She advised CIOs and IT staff to move away from subjective measures and onto empirical measures to quantify risk. This includes a definition of corporate risk baseline (or appetite for risks) so that all IT activities, remediation decisions and prioritizes are based off quantified empirical measures. It also requires greater transparency and understanding of dependencies across IT risks, compliance requirements, IT assets and the technical processes.
While surveys indicate a perceived need, the reality is these functions continue to be done largely in isolation. Chris McClean, an analyst with Forrester, said he is not seeing a lot of convergence between IT governance and GRC. As a result, the application of GRC towards IT initiatives often doesnt include the governance aspects of the CIOs role. Where he sees the greatest potential for convergence, then is in the link between risk and performance management.
Although uncommon, some companies are defining IT risks as they relate to the achievement of IT objectives" (e.g., the risks that might impact system up time, data confidentiality, etc.), said McClean. This allows IT departments to make more balanced decisions that help to improve support for the business without exposing it to unacceptable risks.
Any planned move toward convergence will require a lot of organizations to change the way they approach governance, risk management, and IT compliance. Anyone embarking upon this path should foster more collaboration between risk, compliance, audit, and IT disciplines, and better understand how these groups should support each other. According to McClean, the costs and processes required to make these changes will be difficult, but they should lead to better understanding of how to improve ITs support for the business.
But Scott Gracyalny, managing director & global leader of Risk Technology Services for risk consultancy Protiviti, Inc., believes the time is right for GRC to come of age. Historically, IT governance has been in the realm of the CIO and has been focused on complying with internal policies and procedures. The GRC effort, on the other hand, is largely focused on the C―with compliance dominating. The overlap and impact is often focused on a sample of applications deemed critical for Sarbanes Oxley compliance. Now, after numerous years of Sarbanes Oxley, the overall understanding of the IT landscape and general computing controls has raised the knowledge level of key groups.