These days, organizations are facing increasingly sophisticated information security attacks from multiple sources. At the same time, they're struggling to comply with a growing number of government and industry regulations, and they're facing pressure to put in place better corporate controls.
One way to address this group of challenges is with a relatively new concept that has a variety of definitions in the marketplace: governance, risk management and compliance (GRC) technology.
GRC software tools—those designed specifically for IT-related data (IT GRC) and broader enterprise issues (EGRC), first appeared about 10 years ago. The software is designed to automate GRC processes, enable companies to integrate and manage operations that are subject to regulation, and implement an organized approach to managing GRC-related activities.
10 tips for implementing GRC
- Create a group that will be responsible for overseeing the GRC project, including software implementation, that integrates stakeholders from different areas. Executive management must support it.
- Develop a plan with defined objectives and targets.
- Prioritize efforts based on inherent risks. Look at the organization as a whole and understand the core business processes.
- Include all stakeholders early in the software implementation and planning process. This should include end users.
- Reach out to peers and consultants for advice about GRC software before problems arise.
- Start with one or two critical issues or departments as a proof of concept before trying broader adoption of GRC software.
- Make participating in risk and compliance user friendly as well as useful. If staffers who are asked to conduct assessments receive helpful information for their efforts, they are more likely to want to participate next time.
- Before getting too far down the line with automated assessments and testing, focus on the fundamentals first, including process workflow, terminology and measurement scales.
- Anticipate change management. GRC implementation is all about reviewing existing processes and policies.
- Make sure GRC software is always aligned with business processes.
The core functions of GRC software are content/document management, workflow, a relational database for mapping GRC components (such as risks, requirements, controls, assets and processes), and reporting, according to Chris McClean, senior analyst at Forrester Research in Cambridge, Mass. Rather than having to store GRC-related data in multiple silos, companies can leverage a single platform to track activities and enforce rules and procedures as needed.
"Most GRC software implementations are used to facilitate manual processes with workflow and standardized forms," McClean says. "Most of these tools allow customers to pull data from other systems as reference information for risk/control measurement, and in some cases organizations are using these capabilities to automate risk assessments and control tests."
Among the potential benefits of GRC are greater efficiency, reduction of losses and improved performance, McClean says.
Despite the promise of the technology, organizations have been somewhat slow to implement GRC software, according to industry research. Forrester's June 2011 Forrsights Security Survey of 1,071 IT security executives shows that nearly 40 percent of those surveyed said they were interested in the technology; however, only 20 percent of the organizations had implemented IT GRC platforms or were planning to at some point.
"Adoption is relatively low, but interest, and therefore market potential, is still high," says McClean.
Proper processes are key
Before a company gets involved with GRC software, its executives need to understand that the products are essentially designed to automate existing processes that should already be proven and effective. This is the single most critical success factor in building an effective GRC program. People first (buy-in), process second, and only then technology.
"You will only be successful if you have a sound risk management framework and you have the right engagement across the organization," says Jorge Beaujon, vice president and head of operational risk at WorldPay US Inc., an Atlanta-based global card payment acquiring business. He says a solid framework and the use of GRC software from Modulo Security have helped his company tackle regulatory compliance, security and other risk areas. "If your framework is not appropriately designed, your GRC program will fail irrespective of the system you choose to support it," he says.
"You have to have good processes before you can be successful in implementing IT and enterprise GRC," agrees Paul Proctor, vice president of security and risk management at research firm Gartner Inc. in Stamford, Conn. "The single biggest failure we see in the implementation of these systems is if [for example] you buy one of these for vendor risk management and you don't really have a decent vendor risk management process in place."
In this in-depth Governance, Risk and Compliance (GRC) report
- Intro: Pulling it all together
- Is GRC software the right choice for your company?
- What's next for GRC
"When a bad process is automated, it just increases the efficiency with which that bad process happens," says McClean. "Risk professionals still need to create a framework for how risk is measured, who is involved, what processes are required and what decisions will be affected by these efforts. Then they can use technology to standardize these efforts and pull together information from a lot of different areas to improve oversight."
Bodies such as auditors, regulators and risk committees "more and more are concerned with the processes of risk and compliance as opposed to just the outcomes of those efforts," McClean says.
"For example, they're looking at how an organization is able to identify, measure and mitigate risks, with less concern for what those risks are."
One noteworthy trend Proctor sees coming in the market is a consolidation of GRC tools within organizations, tied in with a new approach to how some in the industry are viewing IT GRC and EGRC tools. The products have generally been treated as separate entities, but firms such as Gartner are beginning to rethink whether IT and enterprise GRC are in fact separate markets. Proctor says IT GRC software, which has traditionally focused on gathering IT-related data, has garnered a much smaller market than EGRC software and is just another aspect of what EGRC is all about. When CSOs are exploring capabilities for GRC, he says, they should consider whether they need a separate tool for IT GRC.
Some of the enterprises that are using GRC tools are running multiple versions because different departments and business units bought different tools—each with their own strengths—based on the needs of the individual department. Proctor says this approach misses the point of GRC software, which is to provide a singular view of governance, risk and compliance within the organization. "If everyone buys their own tool then they're only getting automation for their own processes or department," he says.
"Some organizations have as many as five of these tools, and in organizations where that happens they have no central oversight of this."
Rather than allowing multiple purchases of GRC software, or looking for GRC tools designed specifically for areas such as IT, Proctor says companies should aim to deploy multipurpose EGRC software that has strong IT functions and that can be used throughout the enterprise.
"We believe the EGRC tools are becoming more like ERP [enterprise resource planning] systems: big, overarching systems that help guide overall processes but have different modules that might be loosely connected," Proctor says. These modules cover areas such as technology, finance and risk management. (Read more about enterprise risk management.)
GRC technology implementations are taking more of a platform approach, says Forrester's McClean. "Organizations are still primarily looking for solutions to a few of their most pressing risk and compliance issues, but it's just as important to license technology that is flexible to address a wider range of requirements," he says.
"[That] may include building their own applications on top of the core capabilities of GRC platforms," for content management, workflow, relational database and reporting.
Proctor suggests that organizations adopting GRC software treat the various components that make up governance, risk and compliance as if they're interrelated. It's a strategy that hasn't typically been deployed at companies, and it's a different way of understanding the value proposition of GRC.
"When I describe this to a client, I usually say if you break GRC down, governance is how you make decisions, risk is how you prioritize your decisions based on how risky something is and compliance is how you address various mandates, be they external or internal," Proctor says.
"What GRC is really about is those three things actually tightly rolled up."
In the past, those functions usually were siloed and barely crossed paths, Proctor says. "Now organizations have figured out that those things are actually combined, so they need a repository in order to make decisions," he says. "They need some workflow capabilities and they need some data gathering function."
What new functionality will GRC products offer in the future? "Analytical capabilities are going to be increasingly important for GRC," McClean says.
"This includes more/better aggregation of risk and compliance data from other systems, and better analysis of that data, such as trending, forecasting and scenario analysis."
McClean predicts that other technical advancements will include mobile device support for tasks such as assessments, training and reports; better collaboration capabilities; and greater flexibility of delivery models such as software-as-a-service (SaaS) and other hosted services.
Vendors describing their product directions promise growth in a number of areas:
- better process connections between security, IT and business operations;
- integration of an ever-broadening array of applications and data sources;
- advances in the sophistication of quantifying and comparing different risks;
- and the ability to measure and improve the effectiveness and efficiency of business processes.
This last point is in some lights the Holy Grail of security tools. Determining the return on investment for risk management is a notoriously slippery problem. It's easier to sell a program of measurable operational improvements that also happens to offer security and risk management benefits.