In my last blog post I spoke about IT debt and how it can hinder CIOs from moving forward in their IT transformations. A few weeks ago now I was speaking with several executives from some leading financial, healthcare and manufacturing firms at a customer roundtable and the subject of IT debt came to the forefront.

One way these organizations are reducing their IT debt and maintaining their organizations “vitality” is via the use of Governance, Risk and Compliance (GRC). GRC comes in many forms and characterized as the ability of the organization to manage risk, monitor and maintain compliancy, and regulate conformance of their organization against pre-specified requirements such as security or banking practices. There are clear benefits to implementing an effective GRC practice, including improved efficiencies in reporting and audit assessments through to the creation of a consistent framework for managing and enhanced decision making.

However, the question often comes up as to how much GRC is enough and how many industry policies do we need comply with? The executives I spoke with said, “In our organization we decide which policies are critical by answering the question: ‘will non-compliance result in a large fine or will it land the CIO in jail?’ If the answer to either of these questions is yes, then we make sure that policy is carefully monitored to ensure our compliance.”

So, given this and considering that manual GRC monitoring is costly and error prone, what are  the factors to consider when selecting a GRC tool?

1.    Integration to other parts of the IT Portfolio:  One of the core principles of effective GRC is its iterative and ongoing nature. The GRC tool you choose should facilitate linking to other parts of the IT portfolio so that all stakeholders can access GRC data and management can visibly access GRC compliance from a single location. Potential IT integration points include:

  • Project, Portfolio Management software for ongoing / day to day project maintenance and compliance.
  • Enterprise Architecture Management suites to help link GRC to application governance so that design policies that may affect compliance can be built into project plans at inception.
  • Business Service Management solutions linking operational events (such as security breaches) with the centralized GRC platform for immediate visibility and action.
  • Asset Management and Configuration Management Systems to ensure complete reporting and consistency between operational change and compliancy requirements


2.    Reporting and Analytics: GRC is designed to provide audits and compliancy management. Given this, any tool that you select should have both out of the box OOTB reports and should allow customization to meet your specific needs.

 3.    Financial Management: Some degree of financial management is a core part of a GRC solution. Financial capabilities do not have to be 100%, however they should be capable of helping you to determine the potential losses associated with non-compliancy.  For example, in order to properly assess risk, financial impact needs to be a factor in the equation.

 4.    Ease of Use:  I spoke with an industry analyst recently about a survey he did last year on GRC. He said a key factor in the selection of a GRC tool was ease of use. Ease of use is a core contributor to the success of GRC as it helps increase adoption of the tool amongst stakeholders and facilitates customization to meet specific reporting needs without the need for additional expenditure.

Given these factors, the next question becomes which tools are out there that can help you with GRC? According to the industry the tools listed below represent some of the leaders in the GRC space: 

Given all of this, while GRC is definitely not a panacea for eradicating IT debt, it is a good stake in the ground and, once in place can help ensure IT debt does not spiral out of control as long as it is viewed as  part of the “process” and not an overhead. What do you think?