Written by Luis Gorgona
on August 06, 2020

First, welcome to our new weekly column. I am thrilled to have a way to share ideas about Governance Risk and Compliance to all our community. The objective of this effort is to give you a weekly article with a subject related to this matter that, hopefully will challenge your thinking and give you ideas about how to deal with this important set of functions.

Let’s start by defining that are we talking about. When we talk about Governance, Risk and Compliance (GRC), we need consider three things:

  • A Strategy for managing the security Governance,
  • A methodology for managing enterprise Risk, and
  • A Framework to demonstrate compliance with industry or country regulations

We can say that Governance, Risk and Compliance is the foundation for aligning the IT objectives with business objectives by performing effective risk management and considering the compliance requirements.

Many benefits come with the implementation of a GRC strategy:
  • The decision-making process will be improved
  • Optimization of IT investment
  • A holistic approach to risk, which allows a decision based on objectively measured risk.
  •  “One single voice” to employees, auditors and regulators.
  • Supports collaboration across the organization and efficient efforts for activities.
  • Efficient driving of activities, which ensures a lower cost for the organization.
  • Changes on regulations will be handled in a much more effective and cost-driven way.

GRC is a term that originated during the 2000’s financial crisis. This crisis study determined that lack of appropriate controls and lack of proper auditing resulted in poor information to stakeholders and then in subsequent poor decision-making. The need for a model that involves the implementation of IT controls and proper auditing of such controls empowered the creation of frameworks that would see the risk in a holistic view and drive competent decision-making.

Frameworks like COSO®, COBIT® and ITIL® constitutes excellent bodies of knowledge for IT governance. Regarding to Risk, we can address NIST Cybersecurity Framework, Risk IT® from ISACA®, SANS® CSC-20 and, of course, ISO 31000 series. Compliance is defined for specific industry verticals or country/region regulations.

Over the next few columns, we will be analysing several frameworks for GRC and providing tips for compliance, tools and insights based on our experience in the field. Hope to have your feedback for constructing a better secured environment for all. Once again, thanks for your support to this effort.

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:


COBIT-2019 but not the disease

Dear Reader: This week we will speak about COBIT. But do not worry about being infected. Not to be confused with COVID-1...


ITIL: A misunderstood Library that adds value to organizations

Dear Reader: Thanks for joining us on this trip across the exciting subject of Governance, Risk, and Compliance. As prom...