Several interesting points were made clear in the discussions:
- There is still a lack of comprehensive understanding for the term GRC, its subareas as well as its meaning.
- There is an obvious difference between the methods of approach in Europe and that in the USA.
- Although closely connected, it is still unclear what additional uses GRC should actually bring.
- Added to that, there are also many “GRCs”. More on this below.
We made a definition of this market for the first time with the GRC Market Report 2008 GRC-Tools address more than just auditing. An important element is also the control of authorizations.
GRC consists of three subareas – Governance, Risk Management, and Compliance. The somewhat indistinct term – Governance (one thinks of “Governess”) is the roof – it concerns correct, normal actions. Corporate Governance is the Corporation Management; IT Governance is the IT – Management.
Compliance is the most considered but still most unimportant subarea. Thereby it is only formal keeping of regulations. Unfortunately it is often interpreted as self-protection for the responsible persons as unique or recurring activities every year, but not implemented in continual process in order to also draw uses from it.
Risk Management is finally the area which, without structures and continuity, cannot be converted and thus most interesting. This is about definition of Risks, its measurement and the structured association with it – and in conclusion, to concentrate on Management in exceptional situations because these can be more easily recognized.
The topic GRC is in focus in the USA, at present strongly in the Compliance-Aspect. Auditing is in the foreground with support of the auditing firm and the dashboards for executives. That is only a part of the whole. If no continuous control is derived from it and no continuous addressing of the exceptions, the potential of GRC is not nearly utilized.
The operating aspects in Europe have in contrast, a much greater meaning. The methodologies as well as role management play a greater role. The risks are surely a greater complexity thereby – the advantage is however that one has an overall concept of the integration between Business and IT on the whole level.
Above all, one can generate uses in this way. Compliance is initially a classical negative force – one avoids problems and penalties. A standardized approach which is not restricted to the regulations already brings advantages because one should be more favorable in the long term than with single approaches. Besides, regulations must be managed if there is a great number of them and this process should be automated.Thus one is already in the area of control and with that in an area which brings more use. Most important is the ability to recognize deviations and to react quickly and directly – and the ability to assign much, like a substantial part of access rights automatically.
It is also not only that some auditor-demands cannot be fulfilled or can only be fulfilled with great effort, without GRC-tools. If the tools are used properly one can achieve a business-control through IT more quickly and with that also higher IT flexibility. Because if one describes and implements new requirements of business through a GRC-tool in roles and regulations and to a large extent automated to entitlements, one has moved an important step forward with business-support through IT.
This however makes clear that GRC-initiatives may not be restricted to Identity and Access Management. It is also not surprising that many manufacturers in other segments like Enterprise Content Management (ECM, earlier known as Document Management) or BSM (Business Service Management) likewise promise the solution of GRC-requirements. Finally, one must consider the topic in its entirety for which all control functions for all parts of IT are realized – with integrated concepts but definitely with different, specialized tools with sufficient depth. With the aggregated information however, everything shall come together that demands standards for exchange of roles, audit-information and guidelines as well as rules – beyond the single domains. A lot of work must be done here.
It is however clear that one needs GRC. There is no way past this because the topic is simply too important for IT and Business. It must be done properly though and may not be restricted to individual subareas. In this respect GRC is an initiative rather than a project only for the introduction of the tool.
An interesting question in connection with the discussion is however, whether the term GRC is really meaningful. The extension to GRCE (for Entitlement Management) is no real solution. Finally it has to do with business driven control and control of the IT – not only in Identity Management but also in other areas. GRC tools are therefore, in another definition, not only regarding Identity, access rights and segregation of duties, actual solutions for Business-Alignment of IT.