1 Introduction
Today’s GRC solutions offer better alignment with corporate objectives, increased transparency, better risk management and more cost-effective compliance. The market currently offers a wide array of options from the biggest IT services providers down to smaller, less mature specialist suppliers. The GRC tools themselves have matured from basic automated checkbox applications into more integrated solutions that make use of AI and analytics, needed to cope with the massively increased amount of data and applications that organizations use.
An IT GRC solution will enable organizations and businesses to create and organize GRC policies and controls, and help organizations stay on top of an increasingly complex and changing regulatory environment. KuppingerCole defines the component parts of GRC as follows:
- Governance: sets objectives and rules for an organization
- Risk: the threat to those objectives and rules
- Compliance: the range of laws and regulations that an organization must meet
Fundamentally an IT GRC tool forms an integral part of an organization’s overall compliance program and strategy. This strategy will vary depending on the size, industry sector and compliance demands. Such tools have been around for some time but as compliance issues have increased in importance for organizations of all sizes their importance has increased. Legislation such as GDPR or the new California Privacy Act (CCPA) has made companies sit up and take notice of their data protection responsibilities or face severe financial penalties. At the same time, smart organizations have realised that better management of Governance, Risk and Compliance (GRC) matters also for the efficiency and competitiveness of operations from marketing right through to better supply chain economics. GRC, particularly business continuity planning, incident response and crisis management, is now the administrative and analytic heart of enterprise information risk management. This also assists with investment decisions on security and gives boardrooms assurance that the optimum is being done to keep the organization compliant and resilient.
Whatever tools are chosen, IT GRC is moving from being a function of basic auditing, risk management and compliance into a more pervasive tool that can be used for business planning and risk intelligence, sometimes in tandem with ERP or CRM applications and platforms.