Conclusion
In summary, by building an integrated GRC information architecture, organizations benefit from common GRC libraries with common terms for core elements such as business units, risks, controls, products, processes, assets, vendors and people. Setting up GRC libraries helps an enterprise to maintain associations and mappings at the desired level of granularity to support business and risk and regulatory compliance needs.
GRC libraries structure a logical compliance and controls hierarchy, including processes, sub-processes, objectives, associated risks, controls and control activities. This can significantly reduce the amount of time IT and security professionals spend defining and maintaining an integrated risk and control framework. This makes it much easier to define risk management essentials, including appetite, thresholds, risk analysis methods, risk calculations for rollups, metrics and analytics.
By balancing common and federated processes for risk identification, analysis and issue management, all business units and stakeholders can participate in a common model, while supporting their unique methods and practices. Getting a sustainable GRC information architecture in place involving the right stakeholders, an evolving model, and building it out over time brings you a long way toward orchestrating GRC intelligence across your organization with a trusted system of record and version of truth.