What’s Changing in the Approach to IT GRC?
Steven Minsky | Dec. 29, 2015
Increasing cyber-hazards have been accompanied by another trend; Governance, Risk Management, and Compliance (GRC) focused on IT (referred to as IT GRC) is changing. More and more organizations have been turning to a risk-based approach.
Traditionally, IT is comprised of a variety of underlying functions. These functions include:
- IT Asset Management, commonly used to inventory servers, computers, and other technology hardware;
- IT Risk Management, including vulnerability and threat identification and assessment;
- IT Application Management, used to monitor updates, complete performance reviews, and maintain security; and
- Compliance, which allows organizations to follow applicable standards, requirements, and risks related to IT.
What’s wrong with IT GRC?
The problem with a “silo’d” IT GRC reporting approach, where each component receives an independent allocation of resources, is that it often causes a communication breakdown. When departments aren’t fully in touch, they risk ineffectiveness and redundancy.
For this reason, there has been a shift in the market. Organizations looking to increase both effectiveness and efficiency are beginning to see risk as the common denominator. Thinking about IT GRC through a “risk-based lens,” a lens that ERM software provides, allows risk managers to adopt a uniform process with standardized language, requirements, and scales.
A risk-based approach to IT Governance, Risk, and Compliance allows organizations to prioritize across technology functions to determine areas in need of greater assurance. The reflex for most organizations in our current IT environment is to increase spending on monitoring tools, but that strategy has created more gaps than it’s closed, and studies confirm that this inefficient method of allocating resources is losing the risk-reward tradeoff and dampening revenue.
Such an approach can help determine where to effectively spend money on IT security tools, and cuts down on interdepartmental overlap by centralizing the monitoring and testing functions. Most components of IT GRC have common or related elements, meaning certain resources and information are relevant to more than one stakeholder. Fostering communication of that risk-related information enables a single IT governance and security process that is easier to monitor, costs less to maintain, and reduces liability due to human error.