What is Governance, Risk and Compliance (GRC)?
Governance, Risk Management, and Compliance or "GRC" is an increasingly recognized term that reflects a new way in which organizations can adopt an integrated approach to these three areas. Although governance, risk and compliance are separate factors, they each have significance, relevance and influence on each other.
After a two-year decline, governance, risk and compliance (GRC) spending is expected to grow to $29.8 billion in 2010, up nearly 4% over the $28.7 billion spent in 2009, according to new data from AMR Research Inc. in Boston.
"The GRC market in the U.S. took a hit in 2008 and 2009," said AMR analyst John Hagerty. "Now companies are seeing the light at the end of the tunnel."
The predicted increase returns GRC spending to its peak level of $29.9 billion in 2007, and is slightly more than the $29.4 billion spent on GRC in 2008.
The uptick in spending parallels a growing interest in GRC, a relatively new approach that aims to coordinate the people, processes and technologies involved in governance, risk management and compliance. Governance, risk and compliance inquiries were up at Forrester Research Inc., Gartner Inc. and the nonprofit Open Compliance & Ethics Group this year, according to people who cover the GRC field there.
While taking a comprehensive and risk-based approach to GRC remains a challenge, said Chris McClean, an analyst at Cambridge, Mass.-based Forrester, companies increasingly are making the organizational effort required to get a better handle on risk. "We are beginning to see a lot more interest from clients in a formal approach to risk and compliance".
The bulk of the GRC spending in 2010 -- nearly 70% -- is pegged for people and processes, rather than technology, with:
||$14 billion going to internal services, including day-to-day management and tasks across business, IT, legal and audit.
||$6.6 billion for external services, encompassing consulting, implementation and processes outsourced onshore and offshore.
||$9.2 billion for technology, including software, hardware and integration.
Frost & Sullivan estimates the number of information security professionals worldwide in 2007 to have been approximately 1.66 million. This figure is expected to increase to almost 2.7 million professionals by 2012, displaying a compound annual growth rate (CAGR) of 10% from 2007 to 2012 (see Table 1).
According to Frost & Sullivan the Americas and EMEA regions will present higher growth opportunities for information security professionals than the Asia-Pacific region. However, organizations in both the Asia-Pacific and EMEA regions continue to develop compelling propositions to entice qualified professionals.
Why adopt GRC?
Although an integrated approach to these 3 areas presents many advantages, GRC is not a single business activity, but in fact, includes multiple overlapping and related activities within an organization. For example - internal audit, compliance programs like SOX, enterprise risk management (ERM), operational risk, incident management, etc.
Risk mitigation and cost reduction are the top motivators for GRC spending.
How can eFortresses assist?
eFortresses subject matter experts help you formulate strategy that will allow you to meet the increasing expectations of government regulators and industry. We use an integrated approach called implement-once-comply-many or IOCM - An integrated approach can help form not only the basis for a safe and secure compliance program, but design and deploy a comprehensive risk governance platform both for compliance and assurance.
eFortresses GRC IOCM methodology is based on a unique approach that stands alone in the security and compliance industry.
In its simplest form, IOCM is a structure for solving business and compliance problems. The structure includes a powerful methodology, specialized software, analytical methods and tools, improvement techniques and trained, capable people - all of which are true process owners and collectively contribute to overall management system.
The IOCM process utilizes the well known six sigma phased problem solving and process improvement methodology, called DMAIC: Define, Measure, Analyze, Improve and Control. Various tools are applied in each phase to accomplish that phase's objectives.
Define - In this phase, poorly performing and redundant areas of the business compliance areas are identified and prioritized for improvement. Projects are defined and launched with well-articulated scope, problem and objective statements that have a beneficial impact, either financially or strategically, to the business.
Measure - The true process contributing to the observed undesirable and/or poor performance is identified, and the most likely contributors are determined. The process is thoroughly characterized in terms of the inputs to and the outputs of the process, the accuracy and repeatability of data used to manage the process and the identification of value- and non-value-added activities.
Analyze - This phase applies appropriate analytical tools to determine with statistical certainty what areas in the compliance process are out of sync, redundant and in need of improvement and performance. Knowing what the true causes of the problems are, and their sensitivities/effects, allows for accurate improvement solutions.
Improve - Critical factors in the process are systematically reviewed to focus on the modifications and adjustments needed to achieve the desired level of performance output, and to optimize specific processes.
Control - This phase incorporates the basic tools of process control and mistake-proofing to assure that the improved performance will be maintained and sustained. This phase is also the handoff from our improvement specialist to the owners and workers within the process.
Our IOCM methodology is about people. It's about transferring a new knowledge, a new way of viewing the business and a new way of thinking. It is about eliminating silos within an organization. IOCM is an improvement strategy by which we teach leaders and employees how to apply increased knowledge and capability to reduce cost, improve efficiency and subsequently improve the overall performance of the enterprise. eFortresses GRC IOCM provides that "Beacon of Light in the Sea of Confusion".
For more information, please contact us by filling out this form