To manage risk and compliance in today's complex and dynamic business and IT environments requires a responsive, efficient, and effective IT GRC strategy. IT organizations should implement processes and corresponding technologies that bring economies and efficiency to IT GRC, while achieving greater security and control over IT infrastructure, business operations, and extended business relationships. However, many of the IT GRC initiatives fail because the realm of IT GRC is diverse and intricacies frustrates the organizations. Here are few quick tips and strategies to ensure success of IT GRC.
Neglecting the stakeholders. IT GRC is a massive undertaking. It cannot succeed unless the people who are expected to use the tools effectively are intimately involved in the process. Stakeholders include (but aren't limited to): IT operations and security, enterprise and operational risk, business continuity and disaster recovery, IT audit, general audit, and corporate compliance.
Not using IT GRC to facilitate mergers and acquisitions. Newly acquired companies come with their own policies, IT controls (or lack thereof), change-control processes, IT and security systems and applications, and so on. You can effectively use your IT GRC tool to perform a series of analyses to determine how their current policies, processes and practices stack up against yours, so you understand where you need to make changes, especially where you find areas of high risk.
Not integrating with your existing infrastructure. IT GRC tools should be able to consume data from your IT and security systems and applications. This integration is crucial to automating your processes.
Not assessing your organization's maturity level. Organizations that already have a strong, GRC program in place are most likely to benefit from IT GRC tools. Enterprises that create well-defined corporate IT policies, follow standards such as Cobit and ISO, and have strong change-control processes are prepared to take the next step with automation.
Not keeping an eye on the top down view. IT supports the business. A successful IT GRC initiative must be aligned with the business, particularly enterprise GRC strategy, architecture and modules.