Governance, risk, and compliance typically gets abbreviated as GRC, not just for convenience but because it sounds much less intimidating. Yet however you choose to say it, GRC can play a major part in aligning IT with business goals and keeping organizational risk under control. In an article for CIO.com, Kim Lindros provides an easy explanation for what GRC is and how you can use it for better IT governance.
Defining GRC requires you to break it down back into its original parts. Governance is (among other things) the management of IT operations to further business goals. Risk refers to any organizational risk that can be mitigated—or any opportunity that can be exploited—to make it easier to obtain business goals. And compliance refers to ensuring all activities and procedures abide by the law and other regulations set in place by the business. In IT, that particularly means ensuring all systems and data are properly secured.
As for how GRC actually works, Lindros explains it like this:
… organizations develop a GRC framework for the leadership, organization and operation of the organization’s IT areas to ensure that they support and enable the organization’s strategic objectives. The framework specifies clearly defined measurables that shine a light on the effectiveness of an organization’s GRC efforts. …
Many organizations consult a framework for guidance in developing and refining their GRC functions rather than creating one from scratch. Frameworks and standards provide building blocks that organizations can tailor to their environment. According to [Joanna Grama, director of cybersecurity and IT GRC programs for EDUCAUSE], COBIT, COSO and ITIL are the big players in many different industries.
For a GRC implementation to be successful, it must be championed by executives who really believe in it. Additionally, many pertinent certifications exist for professionals interested in GRC. These include Certified in Risk and Information Systems Control (CRISC), Certified in the Governance of Enterprise IT (CGEIT), and Project Management Institute – Risk Management Professional (PMI-RMP).
Several great solutions for governance and GRC exist, so do your homework on who might be able to help your business takes its IT operations to a higher level. You can view the original article here: http://cio.com/article/3206607/compliance/what-is-grc-and-why-do-you-need-it.html