GRC: Trying to take the bite out of risk
Is governance, risk and compliance (GRC) software the right choice for your company?
By Bob Violino
August 22, 2012 — CSO —
These days, organizations are facing increasingly sophisticated information security attacks from multiple sources. At the same time, they're struggling to comply with a growing number of government and industry regulations, and they're facing pressure to put in place better corporate controls.
One way to address this group of challenges is with a relatively new concept that has a variety of definitions in the marketplace: governance, risk management and compliance (GRC) technology.
GRC software tools—those designed specifically for IT-related data (IT GRC) and broader enterprise issues (EGRC), first appeared about 10 years ago. The software is designed to automate GRC processes, enable companies to integrate and manage operations that are subject to regulation, and implement an organized approach to managing GRC-related activities.
The core functions of GRC software are content/document management, workflow, a relational database for mapping GRC components (such as risks, requirements, controls, assets and processes), and reporting, according to Chris McClean, senior analyst at Forrester Research in Cambridge, Mass. Rather than having to store GRC-related data in multiple silos, companies can leverage a single platform to track activities and enforce rules and procedures as needed.
"Most GRC software implementations are used to facilitate manual processes with workflow and standardized forms," McClean says. "Most of these tools allow customers to pull data from other systems as reference information for risk/control measurement, and in some cases organizations are using these capabilities to automate risk assessments and control tests."
Among the potential benefits of GRC are greater efficiency, reduction of losses and improved performance, McClean says.
Despite the promise of the technology, organizations have been somewhat slow to implement GRC software, according to industry research. Forrester's June 2011 Forrsights Security Survey of 1,071 IT security executives shows that nearly 40 percent of those surveyed said they were interested in the technology; however, only 20 percent of the organizations had implemented IT GRC platforms or were planning to at some point.
"Adoption is relatively low, but interest, and therefore market potential, is still high," says McClean.
Proper processes are keyBefore a company gets involved with GRC software, its executives need to understand that the products are essentially designed to automate existing processes that should already be proven and effective. This is the single most critical success factor in building an effective GRC program. People first (buy-in), process second, and only then technology.
"You will only be successful if you have a sound risk management framework and you have the right engagement across the organization," says Jorge Beaujon, vice president and head of operational risk at WorldPay US Inc., an Atlanta-based global card payment acquiring business. He says a solid framework and the use of GRC software from Modulo Security have helped his company tackle regulatory compliance, security and other risk areas. "If your framework is not appropriately designed, your GRC program will fail irrespective of the system you choose to support it," he says.