The basic concept of GRC (governance, risk and compliance) is simple – (1) say what you need to do and make sure everyone knows about it, (2) make sure you proactively look at risks, and put controls in place to mitigate the risks, and (3) monitor the controls you put in place to make sure they are working. In other words, put objectives and policies in place to reflect your strategy and regulatory commitments; periodically review the related risks; ensure that controls are in place, and audit the controls.
Say you work for 'The Wide World of Bananas, Inc.' growing and shipping bananas. Now, when everyone in your company knows why they are peeling bananas, which bananas they should peel, where the fallen peels are, and then consistently walks around them (or picks them up and tosses them into the trash bin) … then you have a company that is shipping a lot of high-grade bananas without falling down too often. Better GRC means better business. Easy.
Of course, growing and shipping bananas is not really that simple. You probably have your own banana plantations, and source some other bananas from third parties. You probably have a facility where you wash and shine all those bananas. You most likely ship those bananas to other countries. There is the IT department, for any self-respecting banana shipper needs 'Big Data' and iPads … and let's not forget the bean counters who really are counting bananas in this case.
In reality, any business looks somewhat like the banana business - with suppliers, suppliers' suppliers, facilities, manufacturing, R&D, quality, IT, finance, HR … and lots of people. And let's not forget all the regulations! Financial reporting regulations, export regulations, data privacy regulations, health and safety regulations … there's probably a good reason behind each and every one of them. Clearly the business of doing business is not simple, and if we are to achieve any measure of success by applying GRC across the board, we need technology. Here's how technology can enable and support GRC, as identified by Vasant Balasubramanian, MetricStream's vice president of product management.
IT reality check finds IT leaders staying the course heading into second half of 2015. ... More >>
As IT becomes more tightly integrated into the business process, the experienced IT professional is expected to be able to understand the business, communicate ideas with coworkers and clients, negotiate, and lead. ... More >>
A cookie-cutter approach to compliance can leave organizations more exposed than ever before to potential security risks and controls failures. ... More >>