Governance, risk and compliance (GRC) management is a buzzword du jour. But because of that, IT management and staff might ignore it. Don’t! The combination of an explosion in unstructured data to be managed and the coming exponential growth in services — many of them crossing firewalls by design — means IT could lose control even more than it did during the PC boom of the 1980s. Except today, shareholders, customers and governments are all looking over IT’s shoulder.

According to the 2008 Metadata Market Survey conducted for IBM "… 45 percent (of respondents) do not yet have a data governance council..." IBM’s own Data Governance Council… believes "The value of data will be treated as an asset on the balance sheet (to be) reported by the CFO while the quality of data will become a reporting metric and key IT performance indicator."

These data-side GRC predictions are mirrored on the services side. That’s services as in service-oriented architecture (SOA), where code sets of wide origin and always suspect quality will be as viral as unstructured data. On June 17, 2008, HP announced the results of a global survey that said the greatest sources of IT risk were the volume of changes, and the increasing complexity of systems. HP said three out of four respondents’ enterprise risk management is coupled with IT risk management. But 68 percent use manual methods and only 28 percent described their application security process as mature.

Jennifer Johnson, senior manager, Product Marketing, Business Service Automation at HP, said "IT infrastructure (and services) need to be looked at like production equipment and quality control processes in an ISO 9000 manufacturing environment. Users need real-time view of infrastructure and (other resources and) how they 'map up' to business services." Johnson feels users can't simply manage at the device/resource level anymore. Users need to manage GRC at the business level.

IT Enhancing Its Control with ITIL

HP predicts the number of technology changes that might have GRC implications occur at a rate anywhere from hundreds to tens of thousands per week. HP recently announced new business technology optimization (BTO) software to help manage change and reduce the risk of potential business downtime. These new offerings are combined with a new Information Technology Infrastructure Library (ITIL) Version-3-based Configuration Management System (CMS) solution. Suppliers are driving the GRC movement, but ITIL standardization activity is one way IT management and staff can get involved and make sure their supplier’s offering meets user needs.

ITIL is a set of documents that aid in implementing an IT Service Management framework (itSMF), by outlining management procedures that are supplier-independent and have been developed to provide guidance across all IT infrastructures. It was initially developed by the CCTA, a UK government agency, but has been widely adopted. ISO/IEC 20000 is the international standard aligned generally with ITIL. In general, the suppliers are working with standards organizations and other user activities to keep their customers in the GRC loop.

Taking a Cue from BPM

In an IT Investment Research survey, Serena Software reports that regulation is one of four key reasons for implementing GRC along with globalization, and the need to increase programmer productivity and IT automation. Serena addresses GRC primarily from the application development perspective, but its Dimension brand offers end-to-end, process-centric application lifecycle management, keying on use of a single repository for requirements, configurations, change and release. In addition to supporting ITIL standards, Serena also works with the Carnegie-Mellon Capability Maturity Model Integration (CMMI) approach designed to help integrate traditionally separate organizational functions, such as line of business and IT departments.

Software AG also conducted a survey in 2008 and found that "Governance plays a key role in creating sustainable, enterprise-wide (SOA) implementations and that users recognize that better governance is needed to institutionalize and automate needed SOA processes and best practices." Jignesh Shah, VP, Product Management & Product Marketing, SOA Governance at Software AG, comments on the sometimes overlapping relationship between GRC and business process management (BPM): "BPM seems to be a companion technology because there is much BPM-like terminology. For example, a GRC policy is basically a business process for IT."

But the similarity is because "SOA, like BPM, causes a fundamental shift in interaction requiring a whole new level of collaboration," says Shah. Like HP's Johnson, Shah urges that IT users look for specialized GRC solutions because not all products offer all the bells and whistles needed. For SOA governance, IT needs to know how services are interconnected, "not just a view into one silo." This perspective was never needed in traditional systems management.

Software AG offers two types of products in GRC. Optimize for Infrastructure competes with the CAs and BMCs of the world and is used by IT operations staffs. Centrasite is designed for SOA governance and is more for developers. The company feels that the two types of products may come together when SOA becomes more mainstream.

The differences between Software AG's products illustrate the distinction between simply looking at the code/process/service side of GRC and looking at the big picture. Dave Rosenberg, CEO of Mulesource, says, "SOA governance has been a rich man's sport so users tend to use Excel, although that leaves them with no ability to catalog artifacts and other necessary functions such as support for clustering." Mulesource’s Galaxy open source project, which went to Enterprise level in June 2008, is designed for governing and managing risks with the services registry. Mulesource is not trying to replicate the big-picture systems management offerings available both in the open source and commercial world.

Other products that IT Investment Research researched as options include Entuity’s Eye of the Storm (EYE) Network Management Suite, which supports the identification of trends in resource usage. Entuity says, "EYE increases the productivity of IT operations staff – the true foot soldiers in the competitive marketplace battle." Eye of the Storm supports the best practices recommended by IT Service Management Forum, another group users can join to support their GRC needs.

In the Microsoft world, there are products such as NetPro, with three new solution upgrades that include enhanced capabilities for Windows access management and auditing, as well as log management for Windows. Exaprotect’s solutions, which run on both Windows and Linux, were combined into a suite this year and offer centralized multiple-vendor-resource policy configuration, translate user-generated business policies into device-specific rules, and work like a workflow product. Exaprotect finds the major reasons its users are choosing the product are business change driving network security configuration changes, regulatory compliance and threat detection remediation.

In the survey mentioned earlier, Software AG found first movers in SOA are bringing forth a number of best practices for minimizing the risk and increasing the payback of SOA adoption. On the data side, the solution is vastly improved metadata change management. For services, the solution is services governance. For the infrastructure that supports both is risk management software.

The risk in risk management is to think of the three as one function.