GRC – A Simplified GRC Eco-System Model Even Your Mother Can Understand
As people try to
understand the scope of something and their place in it, eco-system
definitions are often the best place to start. GRC analysts have been
defining them for years, as have organizations such as OCEG
(Open Ethics and Compliance Group). The problem has been that most
eco-system definitions are either so abstract or so complex that it is
hard to really get your arms around what they mean. And
to further frustrate those on a mission to explain this sprawling space
to others, including their management, analysts’ eco-system definitions
invariably don’t line up.
Here’s
a start at a simple model that you should be able to use to explain to –
yes, other members of your family that are not in GRC. And, yes, you
CAN try this at home. J
Ok,
think about GRC as five layers of increasingly larger circles, which
incidentally tend to reflect the size of their markets. Nice diagram
here to guide you. Let’s go through these circles one by one.
Layer 1: Core GRC Management
The
first layer we call GRC core functions- what the user directly
interacts with for policy life cycle management, risk and compliance
assessment, remediation and incident management, as well as
visualization and analytics. Example companies in this space are bwise,
Open Pages and Archer. In the smaller IT GRC space, examples are Agiliance, CA and Relational Security.
Layer 2: Content
The
second layer is comprised of content that GRC vendors typically license
or include in their products if it is freely available. Content ranges
from regulations such as Sarbanes Oxley or the Payment Card Industry
Data Security Standard, to best practice standards like Cobit or the ISO
27000 series, through to risk and control catalogs and training
materials. Business rating firms like Moody’s, Standard and Poor’s and
Dun and Bradstreet are important to measuring risk of customers and
suppliers; regulations are available through sources such as the Federal Register, best practice guidance is available through many sources: the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the IT Governance Institute and ISACA (Cobit), the US Government (NIST),the Information Security Forum (ISF),
and the Open Compliance and Ethics Group (GRC Red Book) to name a few.
Industry specific content is available as well - such as Lexus/Nexus for
Legal and Complinet for Financial Services. Risk Catalogs can be
procured through vendors ranging from SAS to Algorithmics, ORX, Moody’s,
the Economist and idefense. Threat and vulnerability information on
standards such as CVS and OVAL is available through Mitre, BITS for Financial Services, and National Institute of Standards and technology ( NIST
for a wide range of helpful standards. Elearning for GRC Awareness,
Quality, Security or Business Ethics courseware example vendors are
Certpoint, Saba, Geolearning, Plateau Systems, SAP, Oracle and LRN.
Layer 3: GRC Supporting Technologies
The
third layer is comprised of GRC supporting technologies such as
ediscovery, content management, workflow and business intelligence,
which increasingly provide GRC controls embedded directly in the
technology itself. For example, many content management vendors now
offer add-on modules for policy and records management which allow
companies to manage the creation, retention and destruction of records
in compliance with policy and regulatory requirements, as information
moves through the its life cycle. In
addition, new virtualization technologies are becoming increasingly GRC
aware, ensuring that as applications, information and storage elements
are virtualized, they are able to retain the attributes that keep them
compliant. Examples in this space are many also I will mention a few to
give you a flavor. (e)discovery (EMC’s Source One, EMC Ionix, Clearwell,
Access Data), Data Loss Prevention/Content Filtering (EMC’s RSA DLP,
Verdasys, Reconnex, Websense, Vericept) Content Management/Search (EMC
Documentum, Autonomy) Collaboration (Sharepoint, Wikis), Workflow and
BPMS (EMC, IBM, Pegasystems) Data Warehouse/Business Intelligence
(Microsoft, SAP Business Objects, Cognos) Dashboards
and Visualizations (all the BI vendors and other niche players such as
Cordys for Mashups) and Service oriented architectures (EMC, IBM, Layer
7, Progress).
Layer 4: Business and IT Functions internal to organizations
The
fourth layer describes business and IT functions that support GRC. The
main business functions include Enterprise Risk Management, Performance
Management, Quality Management, Audit Management, Legal and Compliance
Management, Vendor Management, Project Portfolio Management Incident
Management but depending on your organization there could be more, or
less! IT functions include Business Continuity/Disaster Recovery, Application
level controls, Change Management, Configuration Management, CMDB/Asset
Management, Information Management/Governance, Records and Retention
Management and of course, Information and Physical Security Management.
Layer 5: Professional Services Advisory Firms
The
fifth layer describes the professional services firms that assist
organizations in understanding their regulatory requirements and advise
on policies, and governance and implementation of programs, controls and
information technology to optimize GRC for the enterprise. These
practices vary from firm to firm (PwC, E&Y, KPMG, Deloitte,
Protiviti) but include Corporate Governance (Ethics, M&A),
Organizational Change Management, Legal and
Compliance, Audit (Internal, External), Corporate Responsibility,
Sustainability, Enterprise Risk Management,(Strategic,
Financial/Treasury, Geo-Political), Operational Risk Management (IT, HR,
Business Continuity, Supply Chain) IT Management, IT Governance and Security Risk Management.
So,
you can this GRC space is BROAD. And you probably can find yourself in
there, right? It’s big. I read a report last week from 2000 claiming 8%
of the US GDP was attributed to compliance activities. My bet it is more
now and you are affected by this. Time to start learning a bit more
about GRC….
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.