• Neglecting the stakeholders. IT GRC is a massive undertaking. It cannot succeed unless the people who are expected to use the tools effectively are intimately involved in the process. Stakeholders include (but aren't limited to): IT operations and security, enterprise and operational risk, business continuity and disaster recovery, IT audit, general audit, and corporate compliance. 
   
• Not using IT GRC to facilitate mergers and acquisitions. Newly acquired companies come with their own policies, IT controls (or lack thereof), change-control processes, IT and security systems and applications, and so on. You can effectively use your IT GRC tool to perform a series of analyses to determine how their current policies, processes and practices stack up against yours, so you understand where you need to make changes, especially where you find areas of high risk. 
   
• Not integrating with your existing infrastructure. IT GRC tools should be able to consume data from your IT and security systems and applications. This integration is crucial to automating your processes. 
   
• Not assessing your organization's maturity level. Organizations that already have a strong, GRC program in place are most likely to benefit from IT GRC tools. Enterprises that create well-defined corporate IT policies, follow standards such as Cobit and ISO, and have strong change-control processes are prepared to take the next step with automation. 
   
• Not keeping an eye on the top down view. IT supports the business. A successful IT GRC initiative must be aligned with the business, particularly enterprise GRC strategy, architecture and modules.

To know how MetricStream's IT GRC solution is helping organizations worldwide to succeed, 
visit: www.metricstream.com/solutions/it_grc.htm

Sources: www.csoonline.com