Risky Business: An Intro to GRC (and GRC Certification) for IT Pros
What is GRC? It stands for Governance, Risk Management, and Compliance, and it's the high-level term used to refer to the framework and activities related to those three disciplines.
GRC impacts several different levels of an organization, including information technology infrastructure. IT-related GRC is itself a major undertaking for any organization, one that is made up of several different job roles and skill sets.
How did GRC become an IT concern? It happened gradually as technology slowly merged with the processes and tasks employed to run organizations. It wasn't long before IT became indivisible from most internal activities. The adoption of information technology forced organizations to integrate it into the core disciplines of governance, risk management, and compliance.
Thankfully, this evolution wasn't a one-way street. Information technology brought new tools for managing and improving GRC functions, making it easier for large organizations to keep these activities on-track.
As you would expect from the root word "govern," governance is the sum of activities and processes that go into managing a given system. In a corporation, governance involves the systems used to collect and deliver strategic information to senior leaders, and then implement their business decisions by relating all necessary tasks to employees.
IT governance is much the same, except at a more specialized scale. IT governance involves ensuring that IT department decisions support the higher-level goals of the organization as expressed by owners and senior leaders. In this case, governance is managed by IT senior managers and possibly one or more executives.
If an organization has a Chief Information Officer (CIO), you can bet that they are highly involved in IT governance planning and execution.
Famed test pilot Chuck Yeager once said, "No risk is too great to prevent the necessary job from getting done." Most managers would agree with Chuck, but with the following caveat: No risk is too great as long as the risk is managed.
Risk management is just how it sounds — identifying potential and existing risks, analyzing their impact, and taking steps to control or eliminate them. IT risk management is no different, although it places a departmental boundary on the risks which have to be sought out and dealt with.
Managing risks usually involves one of three practical courses of action:
? Controlling the risk.
? Avoiding the risk.
? Accepting the risk.
The course of action chosen depends on many variables, including the potential severity of a risk, the costs associated with a risk, and whether a risk is a one-time happening or a recurring event.
It's easy to see how governance and risk management are linked. Senior leaders need to receive information from IT managers concerning risks, and then make decisions about what actions should be taken.
If you've ever played the board game Monopoly with someone who is a "rules lawyer," then you have undoubtedly experienced compliance issues firsthand.
In the business and government world, compliance consists of the systems and activities used to ensure that the rules are followed. These rules may consist of laws, industry regulations, client requirements, or contractual obligations. Compliance can also involve following an internal code of conduct or production policy.
One of the biggest IT-related compliance issues found in the business world today concerns the privacy of information. Anyone who has ever received a call from an online merchant, healthcare office, or financial institution telling them that their confidential personal information has somehow been leaked or stolen, knows firsthand what can happen when IT compliance controls fail.
GRC and IT Pros
IT professionals are heavily invested in GRC activities, whether they are performing required tasks, or actively designing and building the information systems used to operate and manage GRC programs.
When it comes to governance, IT managers need to ensure that their departments are supporting the top-level goals of the organization. This includes items like proper management of capital expenses, or making sure that new IT systems will support the strategic goal of expanding into new markets, or offering new products and services to existing clients.
IT's relationship with governance also includes the building and support of governance-related tools and systems. Reporting is a major function of governance, as are electronic forms which capture decisions and regulate chains of approval.
Risk management and IT are practically Siamese twins. There are plenty of dedicated software tools used to discover risks, perform risk analyses, and track the maintenance of known risks.
On the flip side, IT departments have to be aware of the risk associated with their own systems and activities. IT risk management is strongly tied to other like-minded disciplines such as disaster recovery and business continuity.
Compliance has the same dual relationship with IT as risk management and governance. IT managers must ensure that the systems they're responsible for are fully compliant with any relevant laws, industry standards, or internal policies.
And, much like governance, IT plays a role in the tracking and reporting of compliance activities within an organization.
There are a significant number of industry certifications related to GRC. Here are some of the popular programs IT pros can choose from:
Certified in Risk and Information Systems Control (CRISC)
The CRISC certification from industry association ISACA is one of the foremost designations for risk management practitioners. Launched in 2010, the CRISC certification has been awarded to more than 20,000 IT professionals (ISACA announced that milestone May 12), which has significantly raised its profile in the industry
GRC Professional (GRCP)
The GRCP program is operated by OCEG, a group founded in 2002 in response to the catastrophic failures of Enron, Worldcom, and other flawed companies. Originally known as the Open Compliance and Ethics Group, they just use the acronym as their identifier these days.
The GRC Professional credential is for any IT pro who is involved — or wants to become involved — in GRC activities. There are no prerequisites for earning the GRCP, making it an excellent starting point for GRC candidates.
Certified in the Governance of Enterprise IT (CGEIT)
Another certification from ISACA, the CGEIT is based around the following job practice domains:
? Framework for the Governance of Enterprise IT
? Strategic Management
? Benefits Realization
? Risk Optimization
? Resource Optimization
The CGEIT designation requires a minimum of five years of IT-related governance work experience, making it a significantly higher-level industry credential.
PMI Risk Management Professional (PMI-RMP)
This certification from the the Project Management Institute (PMI) is not as well-known as the group's Project Management Professional (PMP) credential, but is just as vigorous: The 3.5 hour PMI-RMP exam consists of 170 multiple-choice questions.
The PMI-RMP also comes with a significant work experience requirement, making it a better choice for IT pros who have been performing project-related risk management for several years.