Managing governance, risk and compliance practices
The article examines the concepts of GRC through a Q&A approach, tackling the following key angles:
Whether the “C” in GRC represents compliance or controls?
Experts largely agree that the “C” represents compliance, in that it assesses and manages the extent to which IT systems, and data contained within those systems are used and secured properly (through proper IT controls). The angle here is that compliance ultimately dictates what types of “controls” should be implemented as part of the framework.
How it works?
Organizations develop a framework for the leadership, organization and operation of the IT areas and systems to ensure they enable the organization’s objectives. Some organizations even utilize third party tools or frameworks to manage the process (with Grama, COBIT, COSO, and ITIL being the main vendors across industries). The point of this question is to reinforce that starting from scratch is likely unnecessary. There are a variety of existing tools or frameworks that can be reviewed relative to your own industry or company needs.
What a successful implementation looks like?
The article reinforces that a framework will never ultimately be successful unless the organization’s culture evolves to support the corresponding GRC activities. This point reinforces the notion that identifying key risks is only helpful if leadership is willing to address those risks. As such, it is important to reinforce the importance of the framework at the onset of its use across all interested organizational parties, or risk failure of execution on the overall strategy.
Who employs GRC?
The article explains that any type of organization could benefit from the use of GRC, including private or public companies, small or large cap companies — as there are corresponding IT activities that can help businesses achieve their business goals, in an ever increasing regulatory compliance environment. What might differ by company size or type, is the scope and layers of the GRC that need to be implemented.
How you can even become certified in it?
Given the complex regulatory environment that has evolved for businesses, certifications in GRC are becoming the norm for many high-level positions or even entry — level positions, including CIO, IT, Security analyst, etc. Relevant certifications include CRISC, CGEIT PMI-RMP, CRMA, CRGP, etc.
