The decision-making, resource and portfolio management, risk management, and regulatory compliance functions included in a GRC framework will not be effective unless the organization's executive leadership really supports cultural change.
"Implementing a framework will never be successful unless the organization's culture evolves to support GRC activities," says Grama.
Who employs GRC?
GRC can be implemented by any organization – public or private, large or small – that wants to align its IT activities to its business goals, manage risk effectively and stay on top of compliance.
"We are seeing a big push in higher education to implement GRC frameworks," says Grama, "not necessarily to meet a revenue goal, but to ensure that institutional missions of teaching, research, outreach and student success are met efficiently and effectively."
What are the top GRC certifications?
Professionals with a GRC certification must juggle stakeholder expectations with business objectives and ensure that organizational objectives are met while also meeting compliance requirements. That's an incredible amount of responsibility, and it's absolutely necessary in today's business climate.
All kinds of job roles require or benefit from a GRC certification, including CIO, IT security analyst, security engineer or architect, information assurance program manager and senior IT auditor, among others.
Here are our top picks for GRC certifications:
- Certified in Risk and Information Systems Control (CRISC)
- Certified in the Governance of Enterprise IT (CGEIT)
- Project Management Institute - Risk Management Professional (PMI-RMP)
- ITIL Expert
- Certification in Risk Management Assurance (CRMA)
- GRC Professional (GRCP)
What is a GRC tool/solution and what does it do?
An IT GRC solution enables you to create and coordinate policies and controls and map them to regulatory and internal compliance requirements. These solutions, which are usually cloud-based, introduce automation for many processes, which increases efficiency and reduces complexity.
There are many GRC solutions on the market. IBM OpenPages GRC Platform, MetricStream and Rsam's Enterprise GRC are a few examples of highly rated solutions. But they come with hefty price tags, too. More affordably priced (and even free) solutions are available, but they may lack the broad feature sets of higher-priced competitors.
Before looking into any software solution, you need to prepare your environment first. That means assessing your organization's risk and examining controls. Do you have adequate controls in place? Are existing controls working? Add controls where needed and fix those that aren't delivering as intended.
You also need to create a GRC framework. Although GRC tends to focus heavily on IT, implementing a strategy involves an entire organization, and requires a hard look at all of the people and processes that will be affected.
Sign up for CIO Asia eNewsletters.