Confusion leads to chaos. One area of confusion is IT-GRC. Major analyst firms are in a hubbub trying to get their arms around IT-GRC. IT security vendors are pulling in many directions trying to get IT-GRC to be defined to cover their respective niche. Others are lobbying to define IT-GRC as everything technology that relates to GRC.
Time for my soapbox – which brings a simple set of points to understand this . . .
- GRC itself is bigger and broader than technology. GRC is about collaboration and communication – it is getting many silos of risk, compliance, and governance to work together and share information and processes. Technology is a piece, and an important piece of GRC, but it is not GRC itself.
- An enterprise view of GRC encompasses . . . the enterprise. GRC is about all the silos. Each silo has its label – finance, HR, quality, ethics, legal, audit, compliance, environmental, health & safety, risk, and yes – IT. For that matter we have things like Finance-GRC, Quality-GRC, Environmental-GRC, Supply Chain-GRC – you get the point. Each siloed domain has governance, risk, and compliance concerns keeping a portion of the business up and night while the rest sleeps.
- IT has a dual role in GRC. IT plays a supporting role in the infrastructure managing enterprise GRC silos. The other role is the one IT has in managing is own set of governance, risk, and compliance concerns within the IT context.
It is the dual role of IT where the confusion comes in.
My view of the world is that enterprise GRC is greater than IT-GRC (GRC > IT-GRC). Technology supports and enables enterprise GRC processes to deliver sustainability, consistency, efficiency, and transparency. Technology is important in all the domains of GRC.
Then you have the GRC concerns that fall on the shoulders of the IT department – security, disaster recovery, IT governance, IT risk, IT compliance . . . this is IT-GRC.
In a nutshell – IT-GRC is what keeps the CIO and CISO up awake at night, while other areas of GRC are what keeps others awake at night. IT-GRC involves the governance, risk, and compliance issues and burdens on IT that are the responsibility of IT to manage. That is IT-GRC.
Interestingly enough, I was at an event last week of a dozen senior IT executives and we discussed this concept of IT-GRC. These were all Fortune 500 firms. Going around the room each was spending on average 5-6% of their IT budget this year on IT-GRC. A few were lower than this in the 2-3% range while one, who was significantly working on their IT-GRC strategy, was spending about 12% of their IT budget on IT-GRC.
What are your thoughts and perspectives on this? As many of you know, I am actively engaged with the Open Compliance and Ethics Group (sorry for being a broken record on this). The technology council of OCEG is going to be having an internal call to discuss the difference and relationship of IT-GRC to other areas of GRC. I would love your feedback in preparation for this call. . .