Maclear specializes in enterprise governance, risk and compliance (eGRC) solutions. The IT GRC Solution integrates various business functions such as IT governance, policy management, risk management, compliance management, audit management, and incident management. Enables an automated and workflow driven approach to managing, communicating and implementing IT policies and procedures across the enterprise
Read More at: http://www.maclear-grc.com/
2. Introduction
IT GRC Landscape
IT GRC Tools - Key Issues & Trends
Key Challenges
Benefits of Integrating IT GRC
IT Risk Management Framework
IT GRC Solution
IT GRC Solution - Key Features
IT GRC Framework - Implementation
360 Degree of Risk
Aggregating across IT and Security Ecosystem
Sustainability and Best Practices for Deploying IT GRC
IT GRC Automation
Conclusion
3
3
4
4
5
6
7
7
8
8
9
9
10
10
CONTENTS
3. IT GRC
INTRODUCTION
IT GRC LANDSCAPE
2013, already being referred to as the “Year of Data Leaks”, witnessed a total of 2164 separate
cases of data breaches which exposed over 822 million records. Hacking accounted for almost
60% of incidents, and over 70% of leaked records. A report by Symantec put the average cost
of data breaches in 2013 between $1.1 million on the lowest end and $5.4 million on the highest.
When we consider that data security breach is just one of the many threats facing an
organization, the business impact estimate of security breaches, regulatory non-compliance
and lack of effective governance is staggering.
The modern organization operates in a complex high risk environment. At one level, it is
affected by macro changes in the environment such as economic downturns, political
instability and disasters. At the other level it has to contend with unprecedented volumes of
data, ensure data security and effective data validation amidst increasing consumerization
of IT, digital convergence and ever changing compliance regulations. Organizations today
are under tremendous pressure to ensure optimum governance, operational transparency
and effective risk management while maintaining profitability and competitive edge. This
necessitates a comprehensive focus on IT GRC with state of the art technology enabled
solutions to create and manage the necessary governance frameworks.
This whitepaper focuses on the ways in which IT GRC can be implemented, its best practices
and key benefits for an organization.
Technology enablement has been at the forefront of paradigm shifts in the GRC space over the
last few years. It has been proven beyond doubt now that organizations that use technology
to enable their GRC processes have significant advantages over others. Some of these are the
potential to reduce the cost of risk management, enhance compliance and audit controls and
processes, and streamline reporting and analytics, and better risk management. It is, however,
important to note the key issues that are faced by IT GRC and some of the recent trends in this
space.
3
4. IT GRC TOOLS - KEY ISSUES & TRENDS
KEY CHALLENGES
ISSUES TRENDS
• Non‐standard definition of GRC across industries - unstable
future state and ability to define requirements
• Multiple and increasingly complex regulatory environments
• Legacy GRC systems are application-specific. Vendors find
dificulty in generalizing their product or find alternate uses
• Lack of maturity of the enterprise GRC solutions to handle
complex organization structures and data flows
• Lack of visualization and advanced dashboarding
• Lack of Analytics capabilities
• Issues with gaining real-time data feeds across disparate
sources
• More often than not GRC initiatives are not driven from the
top layers of leadership
• Rapid growth of GRC solutions with organizations realising
need for robust risk management frameworks
• Increasing technology enablement of GRC processes within
the organization
• Entrance of many top technology companies in the GRC
space including acquisitions and alliances
• Focus on performing advanced analytics and Business
Intelligence in the GRC space
• Adoption of web-based solutions for GRC products which are
easily accessible and maintained
• Increasing use of Business Process Mangament (BPM) for
GRC processes
• Robust testing mechanisms of GRC solutions incuding
continuous monitoring
With the IT enterprise generating unprecedented volumes of data, the biggest challenge before CIOs is
the effective management and analysis of information to aid the business without compromising data
security. On an average, at least one third of the information generated by an enterprise needs to be
assessed for risk and compliance. At the same time, organizations need relevant information delivered
at the right time to the right people in order to not only leverage customer insights but also maintain
and deepen the organization’s edge over competition in the market. To leverage big data effectively
and securely poses significant operational challenges in terms of IT infrastructure, governance, risk
management, data quality and compliance, especially when departments work in silos.
Evolving technologies like mobility, BYOD, cloud computing, machine to machine communication,
connected devices and trends like social media add to the CIOs GRC challenge. There is a need to
extend GRC processes to newer technologies and devices and services used by employees and the
business as a whole. In fact, most CIOs today want to work towards integrating risk and compliance
awareness into regular employee communication to ensure maximum data security and regulatory
compliance. At the same time, organizations need to evaluate and assess the effectiveness of data
security measures.
4
5. BENEFITS OF INTEGRATING IT GRC
The biggest question in context of a technology enabled IT GRC solution is about the benefits that it can bring to the
organization. Given the elaborate and complex implementation and deployment process of IT GRC it is important to have a
clear view of the benefits offered by the IT GRC solution:
The IT GRC solution benefit analysis can also be approached from a different angle, namely, quantitative or qualitative
benefits:
REDUCED RISK
LOWER ONGOING COSTS
QUANTITATIVE BENEFITS
IMMEDIATE ROI
BETTER BUSINESS DECISIONS
QUALITATIVE BENEFITS
• Ongoing risk detection and assessment
• Enhanced risk mitigation
• Assured compliance
• Reduced number of IT controls
• Lower headcount requirements
• Reduction in audit and external fees
• Lower IT costs
• Tight control over recommendations and action plans -
process and resources
• Focus risk, compliance, audit and functional resources
on highest risk or opportunities
• Closed loop management of issues, findings,
remediation and action plans
• Greater ROI for fees for external auditors and
consultants
• Lower risk of non-compliance based on audit finding
and observations
• Compliance and Controls
• Risk and Losses
• Reputation Management
• Revenue Management
• Visibility
• Transparency
• Strategic Value
• Increase risk & compliance management efficiency
and effectiveness
• Drive year over year performance through continuous
improvements
• Greater cross-organizational visibility for risk issues
and compliance deficiencies
• Corporate culture stressing higher compliance
awareness – reduce the need for mitigation and
remediation
• Build shareholder value through better auditing and
compliance practices
5
6. IT RISK MANAGEMENT FRAMEWORK
IT risk management practices are deep-rooted in the organization
Analyze riskManage risk
Business
Objectives
Risk EvaluationRisk Response
IT related risk and opportunities are
proactively identified, analyzed and
presented in business terminology
IT related risk issues, handled in a cost
effective manner and aligned to business
priorities
Maintain
risk
profile
React to
events
Collect
data
Articulate
risk
Integrate
with
ERMEstablish
and
maintain
Make
risk-aware
RISK GOVERNANCE
6
7. IT GRC SOLUTION
IT GRC SOLUTION - KEY FEATURES
An advanced and comprehensive enterprise level IT GRC software solution can enable streamlining IT GRC processes,
effectively managing risk, and meeting regulatory requirements. The solution enables companies to implement a formal
framework to rigorously measure, mitigate, and monitor risks. It also simplifies and reduces the cost of compliance with many
regulations governing data retention, privacy, confidential information, financial accountability, and recovery from disasters.
Business Functions - Integrates various business functions such as IT governance, policy management,
risk management, compliance management, audit management, and incident management
Governance Frameworks - Create, measure, monitor, and manage IT governance programs based on
control frameworks like COBIT, ISO 27001, NIST, and ITIL
Compliance Requirements - Access to various compliance requirements like, FFIEC, PCI, FISMA, GLBA,
HIPAA, NIST, and many others
Threat Management - Standardized Investigation Processes to address organization level global security
threats
Workflow - Enables an automated and workflow driven approach to managing, communicating and
implementing IT policies and procedures across the enterprise
Process Management - Provides a mechanism for managing IT surveys, certifications, self-assessments,
and audits
IT Audit Management - streamline and strengthen the entire life cycle of audit management by helping to
understand, measure, analyze and improve the organization’s functions and processes
Documentation - Provides a centralized solution for storing documents related to IT risks, mitigation plans,
questionnaires, checklists, assets, defining controls, and risk assessments
Risk & Issue Management - Provides a robust issue management system for capturing and tracking IT
issues, incidents, and threats as well as implementing corrective and preventive actions (CAPA)
KRIs - Provides well defined key risk indicators with scope for customizations, assessment results, and
compliance initiatives
Reporting - Provides dashboarding and integrated reporting capabilities including self-assessments, manual
assessments, and automated control mechanisms. In built data analytics and IT GRC intelligence capabilities
7
8. IT GRC FRAMEWORK - IMPLEMENTATION
360 DEGREE OF RISK
There are two strategies that an organization can take when implementing an IT GRC framework. These are (1) Obtaining a 360
degree view of Enterprise Risk, and (2) Aggregating across the IT and Security Ecosystems in the organization.
What is the
likely loss of
magnitude?
Business Impact Risk Appetite
VulnerabilitiesThreats
What is the threat
landscape?
What is our
appetite and
how does that
translate into
thresholds?
How are we
vulnerable?
• Ultimate Objective: Risk Intelligence - right metrics for better business performance through active governance
• Threat, Vulnerability, Risk, mean different things to different stakeholders - common model and taxonomy
• Threat Intelligence, Incident Response and Crisis Management - integrated, agile processes to protect against advanced,
persistent threats and complex attacks
• Information Security Eco-system is orthogonal to IT - embedded in the business process
• Governance, Risk and Compliance Management - single repository for analytics and one version of the truth
8
9. AGGREGATING ACROSS IT AND
SECURITY ECOSYSTEM
SUSTAINABILITY AND BEST
PRACTICES FOR DEPLOYING IT GRC
• Leverage a common GRC platform, with an asset inventory, risk and control framework and
nomenclature
• Integrate with Security and IT monitoring systems – provide business context for security
and IT
• Leverage Heat maps, KRIs, KPIs for decision support and business intelligence
• Use customized automated notifications when thresholds are breached
• Integrate tests and exercises with Business Continuity and Disaster Recovery programs
• Streamline risk management – single information model, cross-functional collaboration,
multi-dimensional risk assessments
Automation of IT GRC processes is a must have item on most CIO wish lists today. While
implementing IT GRC solutions it is crucial to remember no solution can be truly effective
without the right monitoring systems. A comprehensive overview of the objectives for IT GRC
automation, coupled with the expected deliverables and benefits against which to evaluate
performance, is an effective way of implementing a sustainable cutting edge IT GRC platform.
9
10. IT GRC AUTOMATION
CONCLUSION
With an automated IT GRC platform organizations can not only do away with redundancies but also reduce manual efforts and
thereby minimize the room for human error. It important to have a clear picture of the desired deliverables and the expected
benefits of such an automated solution:
That the modern organization faces multiple serious threats from different quarters is an unarguable fact of business today.
As risk and compliance complexities evolve and increase, it will be impossible for CIOs to ensure seamless foolproof GRC
processes unless they actively adopt a technology leadership position.
A solution which integrates various systems, documents risk needs and applicable remediation strategies, allows real-time
data ingestion and issue tracking mechanisms. There is no denying that such a solution can not only serve the IT GRC needs of
an organization efficiently, but also reduce costs and help drive risk-driven business decision-making.
• Definition of a target framework to be implemented within the selected groups for both functional and IT departments
• Definition of the stepwise transformation roadmap
• Definition of a consistent target framework (process, system and norms) ensuring data quality and coherence of indicators
throughout the group
• Reduced non productive time periods and optimized the operational efficiency
• Substantial contribution to strategic targets and concentration on core business
• Risks and cost reduction; controls and response time improvements
• Improvement of overall data integrity homogeneity and availability
• Substantial reduction of production & reporting cycle times and costs
DELIVERABLES
BENEFITS
10
11. CONTACT
Visit: www.maclear-grc.com
Email: info@maclear-grc.com
USA: +1 630 839 9214
UK: +44 203 006 2558
ABOUT US
Maclear specializes in enterprise governance, risk and
compliance (eGRC) solutions. Our core capabilities cover
roadmap design, solutions scoping, design & implementation,
training & awareness and solutions support. Our integrated
holistic approach to eGRC helps drive efficiency, effectiveness
and agility for our clients by minimizing risk and compliance
threats, enabling process improvement, fostering collaboration
and facilitating automation. Our client base spans industries
including banking, financial services, insurance, healthcare,
retail, manufacturing, education and energy. As a fast
growing company, we have earned a reputation of delivering
outstanding value to our clients through delivery of exceptional
eGRC solutions and services.
About the Author
Ketan Dholakia
(Co-founder) Americas & APACJ
Ketan Dholakia is a global IT executive with in-depth
knowledge of IT services and operations with 20+ years
of experience establishing security and risk management
solution. Ketan’s professional services expertise and
extensive experience working with large and mid-tiered
multi-national corporations has established him as leader
in the GRC arena.
Prior to Maclear, Ketan led senior teams for
Schlaumburger, GTS, Zurich Financial Services, Adams
Harris and Archer Technologies.