As people try to understand the scope of something and their place in it, eco-system definitions are often the best place to start. GRC analysts have been defining them for years, as have organizations such as OCEG (Open Ethics and Compliance Group). The problem has been that most eco-system definitions are either so abstract or so complex that it is hard to really get your arms around what they mean. And to further frustrate those on a mission to explain this sprawling space to others, including their management, analysts’ eco-system definitions invariably don’t line up.
Here’s a start at a simple model that you should be able to use to explain to – yes, other members of your family that are not in GRC. And, yes, you CAN try this at home. J
Ok, think about GRC as five layers of increasingly larger circles, which incidentally tend to reflect the size of their markets. Nice diagram here to guide you. Let’s go through these circles one by one.
Layer 1: Core GRC Management
The first layer we call GRC core functions- what the user directly interacts with for policy life cycle management, risk and compliance assessment, remediation and incident management, as well as visualization and analytics. Example companies in this space are bwise, Open Pages and Archer. In the smaller IT GRC space, examples are Agiliance, CA and Relational Security.
Layer 2: Content
The second layer is comprised of content that GRC vendors typically license or include in their products if it is freely available. Content ranges from regulations such as Sarbanes Oxley or the Payment Card Industry Data Security Standard, to best practice standards like Cobit or the ISO 27000 series, through to risk and control catalogs and training materials. Business rating firms like Moody’s, Standard and Poor’s and Dun and Bradstreet are important to measuring risk of customers and suppliers; regulations are available through sources such as the Federal Register, best practice guidance is available through many sources: the Committee of Sponsoring Organizations of the Treadway Commission (COSO), the IT Governance Institute and ISACA (Cobit), the US Government (NIST),the Information Security Forum (ISF), and the Open Compliance and Ethics Group (GRC Red Book) to name a few. Industry specific content is available as well - such as Lexus/Nexus for Legal and Complinet for Financial Services. Risk Catalogs can be procured through vendors ranging from SAS to Algorithmics, ORX, Moody’s, the Economist and idefense. Threat and vulnerability information on standards such as CVS and OVAL is available through Mitre, BITS for Financial Services, and National Institute of Standards and technology ( NIST for a wide range of helpful standards. Elearning for GRC Awareness, Quality, Security or Business Ethics courseware example vendors are Certpoint, Saba, Geolearning, Plateau Systems, SAP, Oracle and LRN.
Layer 3: GRC Supporting Technologies
The third layer is comprised of GRC supporting technologies such as ediscovery, content management, workflow and business intelligence, which increasingly provide GRC controls embedded directly in the technology itself. For example, many content management vendors now offer add-on modules for policy and records management which allow companies to manage the creation, retention and destruction of records in compliance with policy and regulatory requirements, as information moves through the its life cycle. In addition, new virtualization technologies are becoming increasingly GRC aware, ensuring that as applications, information and storage elements are virtualized, they are able to retain the attributes that keep them compliant. Examples in this space are many also I will mention a few to give you a flavor. (e)discovery (EMC’s Source One, EMC Ionix, Clearwell, Access Data), Data Loss Prevention/Content Filtering (EMC’s RSA DLP, Verdasys, Reconnex, Websense, Vericept) Content Management/Search (EMC Documentum, Autonomy) Collaboration (Sharepoint, Wikis), Workflow and BPMS (EMC, IBM, Pegasystems) Data Warehouse/Business Intelligence (Microsoft, SAP Business Objects, Cognos) Dashboards and Visualizations (all the BI vendors and other niche players such as Cordys for Mashups) and Service oriented architectures (EMC, IBM, Layer 7, Progress).
Layer 4: Business and IT Functions internal to organizations
The fourth layer describes business and IT functions that support GRC. The main business functions include Enterprise Risk Management, Performance Management, Quality Management, Audit Management, Legal and Compliance Management, Vendor Management, Project Portfolio Management Incident Management but depending on your organization there could be more, or less! IT functions include Business Continuity/Disaster Recovery, Application level controls, Change Management, Configuration Management, CMDB/Asset Management, Information Management/Governance, Records and Retention Management and of course, Information and Physical Security Management.
Layer 5: Professional Services Advisory Firms
The fifth layer describes the professional services firms that assist organizations in understanding their regulatory requirements and advise on policies, and governance and implementation of programs, controls and information technology to optimize GRC for the enterprise. These practices vary from firm to firm (PwC, E&Y, KPMG, Deloitte, Protiviti) but include Corporate Governance (Ethics, M&A), Organizational Change Management, Legal and Compliance, Audit (Internal, External), Corporate Responsibility, Sustainability, Enterprise Risk Management,(Strategic, Financial/Treasury, Geo-Political), Operational Risk Management (IT, HR, Business Continuity, Supply Chain) IT Management, IT Governance and Security Risk Management.
So, you can this GRC space is BROAD. And you probably can find yourself in there, right? It’s big. I read a report last week from 2000 claiming 8% of the US GDP was attributed to compliance activities. My bet it is more now and you are affected by this. Time to start learning a bit more about GRC….
Let us know what you think of this model – what’s missing and why it works/or doesn’t. Post a comment!