Governance, risk, and compliance for IT business processes

Isolated teams, redundant processes, inconsistent data, and other organizational silos are arguably the biggest obstacles to achieving long-term success and stability in business. Silos can hinder data flows, complicate self-analysis, and make the mitigation of issues more complicated than it needs to be.

Some businesses do manage to make inefficient processes work. Regardless, silos can be a massive obstacle to business growth and development, especially for organizations looking to go digital. Without internal simplification and restructuring, siloed organizations might not be able to survive in the digital era for long (Vicente and da Silva, 2011, July).

Regulatory and compliance requirements can further hinder siloed organizations, as each team might separately need to address the demands of regulators and auditors. External stakeholders simply don’t care about the organizational structure or team boundaries - the organization as a whole is fulfilling it’s requirements or it isn’t.

The larger the business, the more demanding the regulatory environment, and the more complex the operations - the more need for a holistic, unified approach to how the business operates and meets the demands of external stakeholders.

An excellent way to start organization-wide changes in this direction is using the governance, risk, and compliance framework (Racz, et al., 2010, July). This framework can help businesses make organizational changes toward clarity, transparency, efficiency, and continuous improvement.

This article will describe the basics of governance, risk, and compliance and outline its use cases in IT operations.

What is governance, risk, and compliance?

Governance, risk, and compliance, or GRC, is a framework that aims to help organizations unify their business operations and departments so that they can serve common goals and objectives.

The primary goal of GRC is to address business complexity and siloed processes in modern organizations. GRC pursues to unite the various aspects of business operations to ensure that the internal units of an organization are working in cooperation with each other. Aside from that, GRC puts heavy emphasis on risk management and compliance with external standards and regulations.

The main ideas behind the GRC framework were formulated in 2003 by OCEG (Open Compliance and Ethics Group), while the first peer-reviewed paper on GRC (Mitchell, 2007) was published by the OCEG founder Scott L. Mitchell.

GRC is built on three key concepts – governance, risk, and compliance (IBM Cloud Education, June 18, 2020). The meaning of these concepts is as follows:

• Governance – the alignment of internal processes and workflows with the business goals. Effective governance implies accountability; a balance between stakeholders’ interests (such as shareholders, management, suppliers, and employees); a fair distribution of rights, responsibilities, and rewards; and supervision and control over data flows and infrastructures.
• Risk – the identification, definition, and management of uncertainties that can negatively affect business outcomes. An effective risk management program minimizes risk while increasing delivered value.
• Compliance – compliance with relevant legal and regulatory requirements. Effective compliance considers external laws, regulations, and industry standards. Additionally, compliance requires the development of internal policies that should be communicated to employees.

The OCEG Red Book (Switzer, et al., 2017) points out that GRC is not about heavily centralizing operations and creating an umbrella department that would oversee adherence to GRC across an organization. Instead, GRC promotes the establishment of an organization-wide approach that:

• Ensures that the appropriate people get the correct information at the optimal time.
• Establishes the optimal objectives.
• Implements the right actions and controls to handle uncertainty and act with integrity.

How can GRC benefit businesses?

Organizational silos can significantly hinder a business’s ability to grow and adapt to change. To name a few reasons, this can be because:

• Different teams and departments can come up with conflicting goals and objectives that do not serve the primary business goals of their organization.
• Stakeholders might be unable to clearly communicate their expectations and requirements to the relevant parties in the organization.
• Inconsistency or the outright non-existence of internal data sources might prevent organizations from self-analysis and correction.
• Businesses might not be able to identify and mitigate internal and external risks effectively.

The GRC framework allows organizations to achieve Principled Performance® – a state where organizations can effectively achieve their objectives, handle risk and uncertainty, and act with internal alignment and integrity.

Principled Performance is built on the following “pillars”, as OCEG calls them:

• Principled Purpose – the mission, vision, and values that guide the organization.
• Principled People – employees, leadership, and extended enterprise who direct their effort toward a principled purpose.
• Principled Pathway – the unified systems of governance, strategic management, performance management, risk management, compliance management, and audit management that help the organization achieve its principled purpose.

To showcase the value of GRC and Principal Performance® (OCEG, 2022), the organization lists its ten universal outcomes (Switzer, et al., 2017, p. 10):

1. Achievement of business objectives through the alignment of internal departments toward common enterprise objectives.
2. A risk-aware setting of objectives and strategic planning via timely and reliable information about risks, rewards, and responsibilities.
3. Enhanced organizational culture via integrity, accountability, trust, communication, and emphasis on performance.
4. Increased stakeholder confidence via transparent reporting and attention to feedback.
5. Protection from risks via the continuous monitoring of adverse situations and undesirable outcomes.
6. Prevention, detection, and treatment of adversity and weaknesses via the implementation of controls and actions for negative outcomes.
7. Motivation and inspiration of desired conduct via rewards and incentives for employees.
8. Business advantage via quick changes in strategic and tactical directions and proactive adaptation to challenges.
9. Improved responsiveness and efficiency via clear communication channels and transparent processes.
10. Optimized economic return and values via efficient human and financial resources allocation.

GRC in IT operations

While GRC is designed as an organization-wide approach, it can also be applied to specific units and workflows, like HR, finance, or IT operations.

When it comes to IT, GRC applies to IT technologies and cybersecurity (SecurityScorecard, Feb. 9, 2021). While the “standard” GRC is an organization-wide framework that doesn’t guide specific business processes, IT GRC looks at governance, risk, and compliance through the lens of IT operations.

Therefore, within the context of IT, the three foundations of the GRC framework shift their focus toward IT operations like this (Lindros, July 11, 2017):

• Governance – IT departments must ensure that their operations match the organization’s business vision and goals.
• Risk – IT departments must handle IT risks, such as hardware and software failure, malicious attacks, human error, natural disasters (as far as their impact on IT is concerned), or new technology-related regulations. Not only that, but IT operations must also consider other forms of risk that the organization might encounter, including financial risk or compliance risk.
• Compliance – IT departments must ensure that their operations comply with relevant laws and regulations, such as data privacy regulations.

Businesses can apply IT GRC to their entire IT operations or their specific parts. As a point of reference, businesses can use IT GRC in the following general areas (MetricStream, 2022):

• IT risk management – identifying, monitoring, and mitigating information technology risks.
• IT policy management – policies that align with internal controls, risks, and external regulations.
• IT compliance management – ensuring that IT operations adhere to relevant policies, controls, and standards.
• Threat and vulnerability management – detecting and remediating potential vulnerabilities in code, applications, and infrastructure.
• Closed-loop issue and incident management – the continuous process of self-improvement, reviews, and follow-up actions.
• IT vendor risk management­ – the assessment of the reliability and risk profiles of IT vendors.

At a more specific level, businesses can use IT GRC to:

• Improve efficiency by reducing staff and system costs; streamlining processes and reducing cycle time; improving resource allocation, and achieving scale efficiencies.
• Lower risk by aligning IT and security risks to business performance goals and strategies; improving IT and security risk identification; improving IT and security risk analysis; reducing losses and costs; improving measures for risk remediation; and improving IT and security risk intelligence.
• Gain efficiencies and lower costs by rationalizing IT risk and control frameworks; increasing data quality to reduce redundancies and errors; rationalizing or retiring legacy systems and data; and rationalizing the IT and security support/administration costs in cloud-based and outsourced systems.
• Improve governance and decision-making by providing more accurate, timely, and relevant information; building a risk-aware, empowered culture; institutionalizing enterprise-level resilience through integrated risk management; improving reporting measures; creating resilience and agility through quick responsiveness.

Businesses use GRC solutions to conform to the requirements of the GRC framework. GRC solutions facilitate business operations and reduce risk by providing features like these (IBM Cloud Education, June 18, 2020):

• Content and document management systems allowing businesses to store and manage digitized content.
• Risk data management and analytics tools helping businesses quantify, predict, and reduce risk.
• Workflow management tools supporting businesses implementation and monitoring of GRC-related workflows.
• Audit management tools standardizing business information and facilitate internal audits and reviews.
• Real-time key performance indicators highlighting business processes and objectives.

While GRC can be applied with an emphasis on IT, it should not be isolated from organization-wide efforts to implement the GRC framework. While a localized GRC implementation can produce benefits, it might not be able to contribute to the overall business success of the entire organization.

The GRC Capability Model as a guide for organizational transformation

The purpose of the GRC framework should be clear by now, but how exactly does it work, and what do businesses need to do to start reaping its benefits? The OCEG Red Book describes the GRC Capability Model™, which contains detailed guidance and advice for implementing the GRC framework. The GRC Capability Model includes the following four steps or components (Figure 2) (Switzer, et al., 2017, p. 13):

• L – Learn – the process of learning what the organization needs to know and do to support its business objectives.
• A – Align – the alignment of different procedures and processes in an organization (including strategies, actions, risk and compliance objectives, and stakeholder requirements) with its business goals.
• P – Perform– the process of acting to achieve desired outcomes and avoid undesirable ones.
• R – Review– the process of the continuous monitoring and improvement of the actions and processes that lead the organization to its business goals.

A more detailed overview of the four components follows.

L – Learn

The first phase in the GRC Capability Model is L – Learn. At a high level, this component emphasizes assessing external business opportunities and obstacles, internal capabilities and limitations, and stakeholder requirements.

L – Learn contains several sub-components:

• L1 External Context – assesses external factors like industry forces, market, geopolitics, society, technology, and external stakeholder and influencer needs. The OCEG Red Book refers to the environment outside of an organization as the external context. L1 External Context focuses on the ability of an organization to respond to changes and trends in the external context proactively.
• L2 Internal Context – assesses internal factors like strengths and weaknesses, operating and strategic plans, organizational structure, and information gaps. L2 Internal Context ultimately focuses on developing capabilities that align with the organization’s business goals.
• L3 Culture – analyzes the internal culture of the governance, management, and risk elements. L3 Culture promotes cultural changes that can support the organization’s objectives.
• L4 Stakeholders – incorporates the understanding and analysis of stakeholder expectations and requirements. The stakeholders of an organization include but are not limited to shareholders, investors, customers, employees, and suppliers. L4 Stakeholders intend to help stakeholders match their requirements and expectations with external context and the actual capabilities of the organization.

A – Align

A – Align focuses on the alignment of:

• Performance, risk, and compliance objectives and strategies.
• Decision-making criteria, actions, and controls.
• External and internal context.
• Organizational culture.
• Stakeholder requirements and expectations.

This component connects the different impactful factors and makes sure that they can operate in unison to serve a common goal.

Like L – Learn, A – Align has a range of sub-components that provide more insight into how alignment should and could be executed:

• A1 Direction – establishes a clear mission, vision, and value statements; high-level objectives; and guidance about how decisions will be made. A1 Direction seeks to clarify business goals and existing opportunities and threats.
• A2 Objectives – defines more detailed, low-level objectives that can cascade down to teams and individuals. A2 Objectives again adds clarity to business operations, providing more specific guidance to departments and employees.
• A3 Identification – identifies desirable (opportunities) and undesirable effects (threats) on achieving objectives. A3 Identification promotes the precise categorization and structuring of opportunities and threats.
• A4 Assessment – analyzes the current and planned approaches to address opportunities, threats, and requirements. A4 Assessment allows organizations to ensure that their opportunities are achievable and in line with their objectives and that risk is acceptable.
• A5 Design – develops strategic and tactical plans for achieving established objectives and addressing uncertainty. A5 Design can help organizations optimize risk and apply their capabilities effectively.

P – Perform

P – Perform is all about achieving goals and objectives by addressing undesirable events and conducting and encouraging desired outcomes. This component relies on proactive analysis and response to successes and failures in business processes.

The OCEG Red Book provides the following breakdown of P – Perform.

• P1 Controls – establishes actions that serve governance, management, and assurance needs. P1 Controls aims to clarify and simplify the control of technology, information, human capital, and processes.
• P2 Policies – implement policies that define conduct, maximize opportunities, and minimize threats. P2 Policies essentially aim to maximize value and add transparency to internal processes.
• P3 Communication – develops communication and reporting measures within the organization. P3 Communication promotes effective and efficient communication and conformity to mandates.
• P4 Education – educates involved parties, like employees and management, about expected conduct. P4 Education adds clarity to the responsibilities of each party and helps them carry out their duties more effectively.
• P5 Incentives – defines desired conduct and incentives for positive outcomes. P5 Incentives aims to motivate employees to achieve desired outcomes and avoid negative ones.
• P6 Notification – facilitates the reporting of progress and raising issues within the organization. P6 Notification adds structure and consistency to reporting processes.
• P7 Inquiry – encourages the periodical analysis of progress toward objectives and identifying undesirable conditions for their achievement. P7 Enquiry serves as the direct continuation of P6 Notification in that it pursues to detect actual issues based on reports and complaints.
• P8 Response – responds to issues discovered in P7 Inquiry. P8 Response focuses on actually addressing undesirable conditions and weaknesses within the organization.

R – Review

Finally, R – Review focuses on continuous improvement to address issues and undesirable conduct discovered in the previous stages. R – Review includes the following three sub-components:

• R1 Monitoring – promotes the continuous monitoring of business capabilities and performance. R1 Monitoring aims to help organizations discover issues early on and obtain factual data about performance.
• R2 Assurance – assures the governing authority, stakeholders, and management that the business capability is reliable, effective, efficient, and responsive. R2 Assurance seeks to increase the relevant parties’ confidence in the organization’s performance.
• R3 Improvement – promotes reviewing information from previous stages to identify opportunities for improvement. R3 Improvement can help organizations continuously improve based on past experiences, successes, failures, and feedback.

Figure 3 visually summarizes the details above.

Next steps: How can businesses start using GRC?

“I thrive in structure. I drown in chaos.”

– Anna Kendrick

Businesses need to define the scope and priorities for the organizational changes to successfully apply GRC to their IT operations. More specifically, to start adopting the GRC framework in IT, businesses should do the following: (MetricStream, 2022).

• Help stakeholders identify high-priority IT initiatives that are aligned with the business’s strategic objectives.
• Understand the ability of the organization and its business units to deploy high-priority initiatives.
• Achieve consensus with the stakeholders on what is required to achieve desired outcomes.
• Establish the suitable governance model with sufficient funding and executive commitment.
• Define a detailed roadmap with high-level estimates of the required effort and funding.
• Prepare for organizational change.
• Communicate successes to stakeholders and promote continuous improvement.

Businesses should remember that effective communication between stakeholders is crucial to the success of GRC. Communication can help organizations reach consensus quicker, better understand what needs to be done and deliver value in a shorter time frame. Finally, consideration should be given for certifying professionals in your enterprise. OCEG (2022b) provides that high quality of credentialing. SAP also provides basic certification through its [GRC100: Principles of SAP Governance, Risk and Compliance](GRC100: Principles of SAP Governance, Risk and Compliance “GRC100: Principles of SAP Governance, Risk and Compliance”).