Sponsored by Neupart, the ERP of Security

Governance, Risk Management and Compliance (GRC) could arguably be nominated as the buzzphrase of the year. Analysts, vendors and the media are touting GRC as a key overarching strategy to transform the modern corporation. What is GRC and is it useful to your business?

As popular as GRC seems to be, it defies an easy and universal definition. The conventional wisdom is that the organizational overhead from onerous governance requirements and a checklist approach to compliance hurts the organization, making it less secure and less competitive. We recommend that you think of GRC as aligning and integrating each of the three components to improve the quality of results each component provides. OCEG, a non-profit association championing GRC, uses the term “Principled Performance” to describe this concept. PwC, who first coined the term, uses “Integrity-Driven Performance”.

There clearly is some logic and common sense embedded in the definition. Take the example of a vulnerability assessment of IT assets that must be conducted for compliance purposes. A vulnerability assessment of a large enterprise will typically create a huge report of compliance tasks that will be difficult to accomplish. Using risk management can help cut down the tasks to those that really matter, streamlining compliance.

One problem with some approaches to GRC are that they are so comprehensive in scope that it is literally business process re-engineering on a massive scale. Organizations are reluctant to undertake huge initiatives that are not clearly aligned with the business in the name of improving performance, as the business case data is only beginning to emerge.

At Neupart, our view is it is not about buying into the GRC hype, but asking yourself whether or not some of the GRC research can be applied in your company in an incremental way. We feel there are some sound principles flying under the GRC banner which are useful for those with responsibilities in areas such as IT compliance, information security and operational risk. Our view is that the application of special purpose content management technology with workflow capabilities – such as that developed by Neupart – can solve problems that save you from a significant amount of redundant manual work:

• Repeatable Audits and Risk Assessments. The ability to capture compliance audit and risk assessment tasks and responsibilities within a workflow system allow you to save significant time and money if those projects ever need to be repeated – which is almost always the case.

• Rationalization of IT controls. Documenting all IT controls and mapping them to frameworks such as COBIT and ISO27002 can allow an organization to identify overlapping and redundant controls. Rationalizing controls can streamline processes, eliminate unnecessary hardware and software and focus your employees on more productive work.

• Standards compliance. Using technology to map your corporate policies to recognized standards simplify the job of defending your business practices to new regulators and business partners – “future proofing” your compliance.

We believe that the concepts of GRC should be applied pragmatically, with a low cost barrier to entry, mindful of the big picture. We encourage you to look at GRC implementation one step at a time and Neupart would be delighted to be your GRC partner.