Business Issues, Technology, Applications

Governance, risk and compliance – What does it all mean?

Blog-post by,

In my last blog post I spoke about IT debt and how it can hinder CIOs from moving forward in their IT transformations. A few weeks ago now I was speaking with several executives from some leading financial, healthcare and manufacturing firms at a customer roundtable and the subject of IT debt came to the forefront.

One way these organizations are reducing their IT debt and maintaining their organizations “vitality” is via the use of Governance, Risk and Compliance (GRC). GRC comes in many forms and characterized as the ability of the organization to manage risk, monitor and maintain compliancy, and regulate conformance of their organization against pre-specified requirements such as security or banking practices. There are clear benefits to implementing an effective GRC practice, including improved efficiencies in reporting and audit assessments through to the creation of a consistent framework for managing and enhanced decision making.

However, the question often comes up as to how much GRC is enough and how many industry policies do we need comply with? The executives I spoke with said, “In our organization we decide which policies are critical by answering the question: ‘will non-compliance result in a large fine or will it land the CIO in jail?’ If the answer to either of these questions is yes, then we make sure that policy is carefully monitored to ensure our compliance.”

So, given this and considering that manual GRC monitoring is costly and error prone, what are  the factors to consider when selecting a GRC tool?

1.    Integration to other parts of the IT Portfolio:  One of the core principles of effective GRC is its iterative and ongoing nature. The GRC tool you choose should facilitate linking to other parts of the IT portfolio so that all stakeholders can access GRC data and management can visibly access GRC compliance from a single location. Potential IT integration points include:

  • Project, Portfolio Management software for ongoing / day to day project maintenance and compliance.
  • Enterprise Architecture Management suites to help link GRC to application governance so that design policies that may affect compliance can be built into project plans at inception.
  • Business Service Management solutions linking operational events (such as security breaches) with the centralized GRC platform for immediate visibility and action.
  • Asset Management and Configuration Management Systems to ensure complete reporting and consistency between operational change and compliancy requirements


2.    Reporting and Analytics: GRC is designed to provide audits and compliancy management. Given this, any tool that you select should have both out of the box OOTB reports and should allow customization to meet your specific needs.

 3.    Financial Management: Some degree of financial management is a core part of a GRC solution. Financial capabilities do not have to be 100%, however they should be capable of helping you to determine the potential losses associated with non-compliancy.  For example, in order to properly assess risk, financial impact needs to be a factor in the equation.

 4.    Ease of Use:  I spoke with an industry analyst recently about a survey he did last year on GRC. He said a key factor in the selection of a GRC tool was ease of use. Ease of use is a core contributor to the success of GRC as it helps increase adoption of the tool amongst stakeholders and facilitates customization to meet specific reporting needs without the need for additional expenditure.

Given these factors, the next question becomes which tools are out there that can help you with GRC? According to the industry the tools listed below represent some of the leaders in the GRC space: 

Given all of this, while GRC is definitely not a panacea for eradicating IT debt, it is a good stake in the ground and, once in place can help ensure IT debt does not spiral out of control as long as it is viewed as  part of the “process” and not an overhead. What do you think?

(6) (6)

Would you like to comment on this content? Log in or Register.
Pearl Zhu 90 Points | Fri, 08/05/2011 - 23:21

enjoy your further thoughts, now, IT GRC converged with enterprise GRC, which means, GRC is beyond the technology options, it's more about holistic solution involving people, process and technology, not only for controlling the risking, more about frameworking the risk-intelligence Agile organization: Knowing how to mitigate the risks, also cognizant about taking the intelligent risks to help grow with manageable discipline, thanks

Genefa Murphy
Genefa Murphy 39 Points | Thu, 05/10/2012 - 17:29

I like that notion Pearl of framing the risk intelligence. I liken this to the POV of some of my security colleagues, they talk about never being able to be 100% secure, instead you have to know what your risk threshold is and proactively manage that risk throughtout the organization.

Clive Whittaker
Clive Whittaker 7 Points | Fri, 07/29/2011 - 20:51

Dusty House Syndrome – A man knocks on your door and says he has a tool that will show you how much dust and dirt is in your house. Would you let him in?

This is what I call it when we can’t get GRC tools installed and working, It’s because no one wants the results or ownership. What are your thoughts?


Genefa Murphy
Genefa Murphy 39 Points | Thu, 05/10/2012 - 17:33

I like this analogy Clive - like with "Dusty House Syndrome" the issue becomes if you leave it for too long, then the task becomes such a "project" you never want to get it done, but I have to say once you get it done you need to seize the opportunity to put some better processes in place like setting regular cleaning time. Obviously, the cost of doing this in an Enterprise is just "slightly" larger than getting a house cleaner :-)

Clive Whittaker
Clive Whittaker 7 Points | Mon, 08/01/2011 - 16:52

Just that IT is to busy to police and clean up content (dust) that they should not be resposable for. 

John Dodge 1535 Points | Mon, 08/01/2011 - 20:59

Ahh....who is responsible then? The owner of the data? Of course, who owns the data opens up another bottomless can of worms....

John Dodge 1535 Points | Mon, 08/01/2011 - 13:24

Clive, That's an Interesting way iof looking at the problem. Are you saying that IT really does not want the tools or want the tools to work because of what they'd find out? That the house has too much dirt and dust?  

Andrew Weaver 1 Point | Tue, 07/19/2011 - 16:37

I think that GRC is the "dashboard" for viewing/presenting, amongst other things, the on-going cost/value of the IT debt.  That is once a business service is requested to be  introduced along with its supporting applications, then the "meter" starts counting the costs for the building and execution of these applications. These costs should be aligned/mapped with the value/revenue that the business service generates for the business.

Thus, when the business requests changes, the cost of implementing these is added to the IT debt, as are the changes introduced by any of the vendors that supply components of the applications/business service. Once the business service is no longer required, then the IT debt is written off, unless some or all of the components can be reused for other business services/applications. Hence the need to maintain the majority of these components in line with their vendor's recommendations, or pay a typically much larger amount to buy a new version of the component. 

It's like buying and owning a car. You can "run it into the ground" by not maintaining it and not having it regularly serviced after which it will only deliver value/be usable for a shorter period and the value of it at the end is around $0. Alternatively you can have it regularly maintained in line with the manufacturer's recommendation, in which case it will (usually!) last much longer and be worth more when you come to sell it. That is if you do maintain the car, it will deliver more value over a longer period than otherwise is the case, which is the same with applications.  

Thus, if the business service is only intended to be in use for a short period of time, then the associated IT debt can easily be minimised acccordingly. If however it is intended for use over an extended period (as is usually the case), then the IT debt will accrue over time and must be associated with the business service so that the rest of the enterprise can see the actual costs for running that business service and thus compare these with the revenue/value that it generates. This includes choosing components that can reused to maximise their ROI.

What do you think?


John Dodge 1535 Points | Tue, 07/19/2011 - 18:39

Hi Andrew and welcome to the Enterprise CIO Forum. How does traditional chargeback factor into the cost/value of IT debt?

Andrew Weaver 1 Point | Fri, 07/22/2011 - 14:01

I would say that the traditional chargeback is a way for the business/enterprise to pay off (some of) its IT dept.  That is the majority of debt incurred by IT is actually on behalf of/at he behest fo the rest of the business/enterprise.

Clive Whittaker
Clive Whittaker 7 Points | Fri, 07/29/2011 - 20:41

I had the charge back discusion with a CFO and he said that all the charges come to him anyway, why would he want to see anouther 30 line items

Jorge Amaro 0 Points | Tue, 07/05/2011 - 19:00

Hello Genefa and Joel,

It looks like the folks that Genefa has spoken with base their responses depending on where they sit on the risk aversion continuum.  As Joel pointed out, ethics should play a strong role in GRC positions. 

ISO defines governance as "... evaluating, directing, and monitoring use of IT within the organization..." (ISO excerpt).  Here are some of my thoughts.  Governance is a reflection of "how I control."  Risk is about the "impact of my decisions".  Compliance is about "how the world see's me." 

Governance (How I control): I have come to learn that I cannot control or change anyone except myself.  What I can do is create an attractive,  compelling, and secure environment that people choose to be a part of.  So I use tools like policies and procedures to weave together the boundaries and controls for said environment.  The crafted environment must be aligned with the business goals and objectives.  Personally, I try to keep it simple.  The amount of data generated by some of the tools mentioned is, in my opinion, distracting.  I try to limit the amount of data I review from these tools.  My suggestion is to keep your scorecard and dashboard metrics connected to the business by using a strategy map.  This has helped me to manage my portfolio of systems and projects. I can see trends, highlight areas where course corrections are required and manage costs using these tools.   

Risk (Impact of my decisions):  As chief executives we all must ask the tough questions.  I think that the "what happens if we do not comply" question should and must be asked.  To an ethical business executive the answer to this question often helps to drive the organization towards compliance.  Now to us as CIO's, the answer to this question will often surface opportunities to enhance and strengthen our product/service offering.  We should ask this question not because we are contemplating getting caught or not, but to see where we may have gaps or where innovation can make a tangible difference.  In this manner we don't direct action based on fear (one side of the risk aversion continuum) or arrogance (other side of risk aversion continuum).  We can evaluate, direct, and monitor action using facts derived from the answers to tough questions. The latter speaks to the impact of my executive decisions which also speaks to how I manage risk.    

Compliance (How the world see's me): I must start by saying that I grew up in the Pharma and BioTech industries and have personally seen the good, bad and the ugly as it relates to regulatory compliance.  Also, I recently led the IT organization for DaVita Labs (DaVita is a fortune 500 Healthcare company in the Dialysis market)  which also has many regulatory bodies requiring compliance.  As an IT executive within these industries the question regarding the cost of compliance is a part of almost every initiative embarked upon.  Instead of treating this question as a struggle where the intangible and unquantifiable become a philosophical debate I use this as an opportunity to influence from the outside in; i.e., regulatory bodies will view my organization in a certain way based on my decisions regarding regulatory compliance.  As Joel mentioned in his response, this should not be about "getting caught".  I view it as an opportunity to positively influence a strong (and true) public image.  This approach does take time and the commitment of a team committed to the long term gains.  In my opinion, compliance is good IT business.

Enterprise CIO Forum - Governance, Risk and Compliance - JA response.docx 12.06 KB
Genefa Murphy
Genefa Murphy 39 Points | Wed, 07/06/2011 - 21:12

Hey Jorge,

Thanks for your comments, I agree with you that compliance and a balanced approach to GRC is good business. However, I know that a lot of customers struggle with this. In addition to the comments made do you have some best practices based on your experiences for helping to get the buy in of the business and the relevant stakeholders to make GRC part of the enterprise DNA on an ongoing basis (I know if it’s in the DNA it should be native and ongoing in nature)?



Jorge Amaro 0 Points | Tue, 07/12/2011 - 16:56

Sure. Here are a couple of tips:

a) Partner with the sales/marketing group to ensure your organization communicates GRC as a key competitive advantage.  When the sales team begins to close sales using GRC language then your CFO and CEO will start speaking the language as well. For some industries GRC is just the cost of entry to do business however, I have found that educating the sales/marketing group with these concepts goes a long way to institutionalizing the concept throughout the organization. 

b) Use GRC metrics in everyday conversation. Monthly updates are not enough.  Speak about the GRC metrics at all levels, everyday.  One example is to pick a positive trend and a negative marker and share both in conversation with people you speak with on a daily basis.  This creates awareness and serves to focus employees. Be careful not to pick to many metrics and markers; employess can become confused. 

I would love hear other examples and tips as well.




Joel Dobbs 339 Points | Sun, 07/03/2011 - 20:15

Interesting thoughts.  Thanks for this post.

One quote caught my attention.  The statement, “In our organization we decide which policies are critical by answering the question: ‘will non-compliance result in a large fine or will it land the CIO in jail?’ If the answer to either of these questions is yes, then we make sure that policy is carefully monitored to ensure our compliance.” should be profoundly disturbing to any corporate compliance officer or student of ethics. What troubles me is how little some of our profession have learned from the legal and ethical disasters of the past.   Basically this statement says, " Don't get caught."  Instead of focusing on the potential consequences of getting caught one should first ask "What is the right thing to do?"

For several years the Harvard Business School struggled with teaching ethics.  They basically took a pragmatic approach that said "Don't do anything you wouldn't want to read about in the newspaper."  The implication again is don't get caught.  Looking at the current state of business ethics we can see where this takes us.  Arrogant people always believe that they are too smart to be caught, and there are plenty of arrogant people in leadership positions in business! I once worked for a company that found itself deep in legal trouble because the CEO and a few of his lieutenants thought that they could outsmart the agency that regulated our business.  They were wrong and the consequences almost destroyed the company.

Someone once defined character as "Who you are when no one is looking."  I would hope, perhaps naively,  that these folks you spoke with would be asking these three questions when assessing issues of compliance and ethics: 

1. Is it legal?

2. Is it moral?

3. Is it ethical?

I sometimes challenge people who are questioning whether or not to do something with taking the "Momma test."  Basically, would you tell Momma about this (I'm southern so Momma is used in place of mother!).  If you wouldn't be comfortable telling your mother, don't do it.

The real question is not the consequences of getting caught (you probably eventually will) , the question is should you do it in the first place.

Genefa Murphy
Genefa Murphy 39 Points | Wed, 07/06/2011 - 21:07

Hi Joel,

Well I think that statement should be taken with a pinch of salt and I can assure you the folks I spoke with all had quite comprehensive GRC practices within their organizations, in particular those in healthcare, understandably.

However, saying that I do like your statement that we should ask the question “what would you do if no one is looking” – you are correct that on many occasions individuals can get caught up in either addressing the bottom line and or think they are invincible and this does not make for a good leader. Instead, we should look at the question: In not doing X (or in fact doing X) what is the risk to our business, qualitative or quantitative.

Thanks for posting Joel


John Dodge 1535 Points | Thu, 07/07/2011 - 13:53

I think over time, seasoned and lasting managers (a CIO is a manager, after all) learn that you treat people the way you want to be treated (karma). That usually works, but not always. For instance, I was a pretty aggressive news editor when it came to getting the story first during my run at PC Week. I probably did a few borderline unethical things in the name of finding the truth or the story before the vendor wanted to tell it.. We went through waste baskets and dumpsters, hounded sources and maybe followed people around. We were constantly fed confidential docs, mostly about unnannouced products and future strategy....pretty tame stuff, actually....and our IT readership loved us for it.

I did have a reporter who misidentifed himself to a computer company. The vendor saw through this ploy and called me to complain. I believed and backed the reporter. Years later, I found out he had lied to me. I had always wondered how he got scoops so easily....I suspect he did this more than once, thinking no one was looking. And reporters who got the story were well-rewarded in the PC week newsroom. Those who didn't were encouraged to move on.





John Dodge 1535 Points | Mon, 07/04/2011 - 16:26

Joel, You always do such a nice job boiling these issues down to basic values and not cutting corners. What are some the typical unethical things (if such things are typical) that CIOs do. Where do they cut corners in this regard?

Joel Dobbs 339 Points | Tue, 07/05/2011 - 17:12

I don't think that CIOs as a group are really much different from other senior business leaders in their ethical weaknesses.  We are all subject to the temptations and corruptions that any position of power brings. Having said that, some of the worst behavior that I have seen among CIOs has been in the negotiation and enforcement of contracts.  Applying the "Golden Rule" in these situations goes a long way towards cementing strong working relationships with vendors and suppliers.  In fact, I believe that one of the reasons so many IT deals go sour is that the relationships needed for a successful long term collaboration never develop because of the adversarial approach so many senior IT folks take in negotiations.  There is nothing wrong with driving a hard bargain in negotiations but one can do this without resorting to rude, deceptive and unprofessional behavior, something I have unfortunately seen too frequently.  

I believe that arrogance and abuse of power are at the heart of most unethical behavior.  In the example cited in this blog post the individuals are making a choice as to which policies (or perhaps rules or laws) should be followed based on the consequences of getting caught. By default that means that the choice is being made to be less diligent in following other rules and laws, or perhaps not following them at all.  That is hubris! The problem, as most do, starts small but rapidly grows.  Where this attitude ultimately leads is to the belief that one is above the law.  We see this in politics and in business all the time. A healthy dose of humility is the best antidote.

John Dodge 1535 Points | Tue, 07/05/2011 - 17:19

It would seem that the CIO who is heavy-handed with suppliers might be feeling the pressure from elsewhere within his or her organizatiion, no? Feeling the heat, so to speak to come in on a number or certain performance threshholds. A good post might how you balance all the demands and pressures of work with maintaining ethics and civility. We are human, after all.  

Again, your advice really applies to how you treat everyone...and it's good to hear it.

Pearl Zhu 90 Points | Sat, 07/02/2011 - 17:22

Hi, Genefa, thanks for the great blog, specifically focusin go the GRC, and top 5 criteria to evaluate the vendors. However the vendors you recommended here is more like niche players, than the largest IT players they may have very enriched IT portiforlio, what's the pros and cons when selecting the niche players or the big player? Also, when you pointed out the finance management or analytics capability, and even integration,  make me think about BI, any potential to integrate GRC as part of BI solutions? thanks

Genefa Murphy
Genefa Murphy 39 Points | Wed, 07/06/2011 - 22:07

Hi Pearl,

So yes, the players I mentioned here are niche (though strong), and as you correctly mention a lot of the major IT companies do have elements of GRC embedded into their software offerings. When it comes to the pros vs. cons the value of going with a niche vendor is (obvious as it sounds) that they are very focused and they will likely be able to provide you the Rolls Royce of GRC solutions with the latest and greatest policies, analytics and techniques for calculating your risk score (not only functionally but also in the shape of advisory services). On the other hand, depending on the size of the vendor, they may not be able to adequately support your enterprise needs rendering the functionality near useless. Now taking the “big vendors”, the main issue I always see with those big vendors who often embed GRC into other parts of their portfolio or actually I should say vendors who are not “committed” to a discipline such as GRC is that it could result in you having to take 2nd place in the demand for new functionality with whichever solution they determine as their core solution. In addition to this there may not be the expertise available to help you with implementations, best practices etc which could lead to delays and a lack of value for money.

However, as I said in my post I do believe there is value in having an integrated solution for GRC so maybe a vendor which embeds GRC into their adjacent portfolio solutions such as Project Management, Portfolio Governance etc is a good thing and could actually help stakeholder adoption.  

To your last point on the relationship with BI – I think this is a good adjacency for GRC as one of the cores of GRC is an ability to aggregate and analyze information from across an organization to enhance and assist decision making, and it is essential that the data used to make these decisions is accurate, verifiable and from reliable sources – BI is the perfect facilitator for this.

Clive Whittaker
Clive Whittaker 7 Points | Wed, 06/29/2011 - 18:39

Sharing responsibility with department heads is at the top of my agenda when discussing GRC with CIO's. Showing department heads who has access to their data and what is being done with it makes them responsible for the data kept on file shares and not the CIO, I have seen some horrific access and abuse of rights to unstructured data. Symantec Data Insight is my go to product and comes with some nice DLP add-ons.  

 The second item is data retention , why should a CIO be responsible for data that the corporation should not keep. 

John Dodge 1535 Points | Thu, 06/30/2011 - 14:01

Hi Clive and welcome to the Enterprise CIO Forum. Can you give some examples of horrific access and rights abuses? Do you think the CIO should be completely off the hook for data integrity? Thanks...JD 

Clive Whittaker
Clive Whittaker 7 Points | Thu, 06/30/2011 - 14:56

John,  Active directory has the dreaded everyone Group and I have seen full access by the everyone group applied to every file share with full read, write and modify, An Engineer came in on a Saturday and copied the whole Engineering file share that included future designs, he was leaving the company on Monday. Employees having access to HR payroll, SSN numbers and someone in Warehouse group was looking at HR every month. Permissions to unstructured data is a big problem. 

The CIO is not completely off the hook but has tools to share responsibility with department heads. A good topic would be the roles and responsibilities of the 2011 CIO.

Genefa Murphy
Genefa Murphy 39 Points | Sat, 07/02/2011 - 02:00

That’s a great point you make Clive. Data equals dollars in my book – from how we protect data to ensure that it doesn’t lead to costly incidents such as the one you described, to how we leverage data and analytics to make sound decisions.  In fact I think John actually did a blog on the importance of data security or at least the need to highlight data security here on the Enterprise CIO forum.  Furthermore, as you suggest getting buy in from the department heads is key not only to effective GRC but also a successful Enterprise Architectural Management approach which in turn is a good enabler of GRC.

John Dodge 1535 Points | Thu, 06/30/2011 - 14:59

That's a great discussion topic, Clive. I just posted the question as a Quick Post. Please weigh in...