Late post this week – I spent the weekend on the 3 Day Breast Cancer Walk – yes my legs are sore, but I am proud to have raised $ for the cause.
I want to throw this out: that GRC itself is going through a maturing process. Let’s call the first ‘ad-hoc’ stage GRC 1.0, and the second, more ‘rationalized’ stage GRC 2.0 and the ‘optimized’ stage we are entering now, GRC 3.0.
When GRC first emerged as a concept in 2002, programs and technologies were quite basic: GRC 1.0. Manual processes supported risk and compliance analysis and reporting. Organizations had mostly weak governance and accountability models and there was minimal adoption of automated monitoring and analysis technology for business of IT.
By about 2008, GRC had matured to a point where many processes were rationalized and partially automated: GRC 2.0. Compliance programs for key regulatory imperatives (SOX, PCI, GLBA) were in place. Basic ‘common systems of record’ and a ‘single version of the truth’ based on surveys had been implemented in many organizations. However, assessments based mostly based on snapshot, conjecture-based surveys are not highly reliable. Risk management is still operating in silos; and for the most part not tied directly to business or regulatory requirement. As a result, minimal reduction of GRC program expenditures have been realized due to programs operating inefficiently in silos.
In 2009, a new era has begun, driven by virtualization and maturing of controls monitoring in both the business processes and the IT infrastructure. It is finally possible to begin the integration of discrete GRC capabilities to provide the synergies GRC promises. This is GRC 3.0 where governance, risk and compliance programs are managed holistically for the extended, virtual enterprise and infrastructure. In this era we will see greater business and IT alignment of policy, compliance and risk appetite. All IT Management processes will be supported: Business Assurance, Policy, Information Lifecycle Management, Backup, Recovery and Archiving, Resource Management, Storage, Change and Configuration and Security Management. GRC analysis will be based on near-real time empirical information, which is highly reliable. Risks will be able to be managed to acceptable levels and organizations are able to capitalize on new opportunities with agility, because risks will be more visible.I think we are entering this dynamic GRC 3.0 stage now. What's your take? I beleive it is all about the Seeing, Understanding and Believing concepts I covered a few weeks ago. In the upcoming weeks, we can dive more deeply into what the difference really is between GRC 2.0 and GRC 3.0 – this will help us all prepare for the transforming and ride the wave as is comes…..unless of course, you aren't convinced..in whihc case let's hear your thoughts :-)