IT GRC (IT Governance, risk and compliance) is certainly yet to mature. Currently there is a lot of confusion as to what it is all about and what the subcomponents are? But it’s certainly proving to be beneficial to the organizations adapting to it. In addition to identity audit, a unified approach towards GRC increases efficiency, cost effectiveness and poses lesser risk.
IT governance is all about how decisions are made, who makes the decisions and who is to be held accountable; et al. IT risk deals with threats at every stage and in every area of the enterprise. Risk related to identity management- who has access to what, is the biggest question posed before the organization. IT compliance is about adhering to laws and regulations, primarily due to large data security and privacy requirements, like the ones demanded by financial compliance, healthcare compliance, Insurance compliance etc. Traditionally these components were dealt individually. But with IT GRC a holistic approach is gaining in popularity.
There should exist an understanding of each of the components of IT GRC and their dependencies on each other before implementation. All the three programs should run in parallel and in coordination with each other for a successful GRC program. This requires significant effort and persistence. The benefits may not be evident right away but certainly it could be felt in the long run.
After federated Identity management, it is federated IT GRC which is taking the center stage today. GRC traditionally existed in silos; all the operations functioned independent of each other. Of late there is a drive to develop a more integrated GRC strategy, which could give rise to sharing of information, risks, investigations etc. This could result in more efficiency within the system, more transparency and less wastage of resources.
Without a federated GRC different parts of the organization end up functions differently in their own direction with their respective GRC silos. For e.g.: in the financial sector various areas like credit, market, operational, legal and regulatory risks operated independent of each other. With federated GRC all these are aligned to be more efficient and manageable. Errors, inefficiencies, and potential risks like IT risk could easily be identified, managed or averted easily. This creates a better business performance by reducing risk exposure. With identity audit as well as IT governance, enterprises can function efficiently and evade most of the risks involved.
