Governance Risk and Compliance (GRC) as most of you might
know, is more than a catchy acronym used by IT and security professionals and
in fact it is an approach or framework that an organization adopts to ensure
proper management and control.
The broader term Governance
calls for a better way of managing the business, which includes protection of
the assets of the organization (includes information as an asset),
sustainability of the organization irrespective of the business or economic
climate. Risks are the unforeseen events
or forces which could potentially result in severe impact on the overall
performance of the organization. Better
Governance cannot be achieved without a good risk management program in place.
The risk appetite of an organization should be known to the stakeholders who
should manage or control the risks, so that the risk exposure is well within
the risk appetite. The term Compliance
denotes the organization’s approach to being compliant with various legislative
requirements of different countries in which it operates and also to comply
with social commitments.
GRC exists at different levels, for instance Governance
could exist at the corporate level, project level or at sub organization level.
While the goals of the GRC at various levels will be the same, the means or
techniques used to achieve it vary.
As one could observe these three terms have inter-relations
amongst each other and it’s for that reason, there is a need to have a 360
degree view of all these three together. GRC aligns various components of the
enterprise (processes, employees, systems and partners) to be more efficient
and more manageable leading to better business performance.
An organization is primarily comprised of People, Processes
and Technology. The technology domain in turn is made up of Data, Applications
and Infrastructure. The Corporate GRC goals can be met when these components
are aligned to meet the respective goals.
Much of the risks that today’s organization is battling with
are around Data and Applications used within and outside the organization. The IT
Architects in turn play important role in designing the solutions involving
data, applications and the infrastructure. Thus it is important for the IT Architect
that the solution design process is aligned to the GRC framework of the
organization.
Information Systems Audit and Control Association has
recently released COBIT 5, which helps organizations to get more value from
both information and technology investments. By approaching Governance, COBIT 5
helps maximize the trust in and value from organization’s information and
technology. Let us go over some of the questions the stake holders would
raise on the governance and management context of enterprise IT and see how it
will be relevant for IT Architects.
How do I get value from use of IT? Are end users satisfied
with the quality of IT?
IT investments are about enabling business changes and are
expected to bring enormous value to the business. But 2 out of 10 enterprise IT
projects are outright failures. Keeping a focus on the value delivery from
proposal stage till delivery of the solution is likely to improve the chances
of success. The Architects should establish the business value that the
solution could bring, so that the stakeholders can make an informed decision
whether to go ahead with the investment or not.
The perceived value
out of IT investments is also dependent on user satisfaction on the service
delivery using the solution. The usability should not be ignored for any reason
by the Architects and to achieve this Architect should collaborate with target
end users on a continuous basis to solicit and elicit feedback.
How do I manage performance of IT?
As businesses heavily depend on IT, the performance of IT to
the satisfaction of business is important. Among various other reasons, poor or
sub optimal solution design is a major cause for IT’s non performance. Here
again, IT Architects have an opportunity to factor the best design practices
and ability to generate appropriate metrics so that each of the IT services can
be measured and monitored in terms of its performance.
How do I best exploit new technology for new strategic
opportunities?
Information Technology is advancing in a faster pace, and
the trends are shifting too frequently. Newer tools and technology frameworks that
come into the market make enabling business changes more and more easier. This at
the same time calls for the people’s abilities in mastering related skills. The
Architects has to do a balancing act in not missing the opportunities that the
newer technology and tools have to offer and at the same time should not risk the
business by taking on such changes so early when skills to manage it is hard to
get. Many a times, exploiting new technology ahead of the completion can spur
business growth.
How dependent am I on external providers? How well are IT
outsourcing agreements being managed? How do I obtain assurance over external
providers?
Organizations are embracing cloud and started looking at
SaaS applications as these offer a higher degree of flexibility in terms of
investments and in terms of capabilities. This is happening though there exist
quite many security and other compliance concerns that the industry is still trying
to address. This resulting in more external vendors being engaged, calls for a
well drafted SLA, which should be in line with the security and regulatory
compliance needs of the organization. A careful evaluation of the product and
the vendor is essential as it does not absolve the organization from this
compliance needs.
What are the control requirements for information?
Information and data as assets are gaining significance and
in the next few years, the ability to control and manage large volumes of data
from discrete sources in an efficient and effective manner will be looked
forward by almost all organizations. At the same time, data breaches are also
on the rise and the information security practice is also drawing considerable
attention from the CIOs. It is time that the CIOs or CSOs put in place an
Information Governance program, identifying and classifying sensitive data and
information and defining the control requirements around the same. This will
require the all the applications be designed appropriately to have these control
requirements implemented.
Did I address all IT related risk?
Risk is one of the important area to be managed well to
minimize uncertainty and the associated impact on the business. Risk Management
has to be practiced at every level including IT Architecture. IT Architects
start risk management right from proposal stage to delivery and even after
that. Lack of Risk Management skill amongst the Architects could itself be a
risk.
Am I running an efficient and resilient IT operation?
With high dependence on IT, today’s enterprise needs an
efficient, effective, secure and resilient IT infrastructure for its survival
and success. This requires the sub systems of IT to be highly performing and at
the same time architected in such a way to be flexible enough to accommodate
changes to it. The Architects should always be willing to embrace change and
make sure that the solutions that they design is receptive such changes.
How do I control the cost of IT? How do I use IT resources
in the most effective and efficient manner? What are the most effective and
efficient sourcing options?
The Architects who design IT solutions are not usually
constrained by a budget, and so why in most cases the solutions designed are
not necessarily a cost efficient one. Ideally, the Architecture team should
consider better budgeting and estimation techniques and should be able to
quantify the capital and operational costs, which allows the stakeholders to
take informed decisions.
Do I have enough people for IT? How do I develop and
maintain their skills, and how do I manage their performance?
Choosing the right tools and technology should also mean
that availability of people in to manage and support it. Architects sometimes
get carried away by the features and abilities of such tools and sometimes
carried away or influenced by vendors and eventually end up in a situation
where incurring huge cost in finding skilled people and retaining them.
Architects should seriously consider the talents available in house and the
availability of such skills in the market on demand, while making such choices.
How do I get assurance over IT?
Quite often, the IT is pulled in to diagnose the problem of
an application coming down crashing. Teams like Developers, Architects, Network
engineers, Hardware engineers, etc come together to trouble shoot the problem
and come up with a corrective and preventive action. Every such instance throws
a new root cause and the teams keep on learning out of such outages. But what
the end user community wants is a stable and reliable system, which the
business can depend on. While it is hard to rule out outages, there should be
processes in place, which helps reduce the down times. The systems should be
designed to being able to log information necessary for trouble shooting, raise
alerts upon encountering exceptional conditions, factor redundancy in hardware
and software components. Periodic audits and reviews should be carried out to
ensure that the recovery measures put in place are working.
Is the information I am processing well secured?
With cyber security crimes on the rise, organizations are investing
heavily on securing the data and information assets that are stored within and
outside the organization. IT Security should be one of the key non-functional
requirements that the Architects should consider while designing solutions. The
significance of Security needs could vary based on the organization’s nature of
business and the information being processed or stored. Many countries have
pronounced legislations on security requirements for specific industries and
specific class of data, which should be complied without exception. Here again,
period audits and reviews would help assure about the IT security level to the stakeholders.
How do I improve business agility through a more flexible IT
environment?
Agility is key to quickly turnaround business changes as
solutions. Flexible IT enables the organizations to quickly capitalize on the
new opportunities, to innovate and to get ahead of the competition. This saves
time and increases efficiencies. Some of the key evaluation or design criteria
to make this happen are: shared /
outsourced infrastructure, ability to scale up and scale out, reduced
complexity, continuous data and application availability, built-in efficiency within
every component, etc.
The above is not an exhaustive list to be taken care by the
Architects. Most of the above would be addressed if one follows the best design
practices considering all of the undocumented abilities (scalability, availability, maintainability, usability, etc.) required out of the
solutions and applying the right design patterns.
Reference: COBIT 5 published by ISACA, COBIT 5 and GRC