Yesterday, I met with one of the leading thinkers in the GRC space, Lee Dittmar a principal at Deloitte Consulting. Our conversation covered a number of topics -- however, we spent most of our time discussing IT for GRC and how it is related to but different from GRC for IT.
GRC for IT
There are a number of governance, risk, compliance and internal control (GRC) issues related to information technology (IT). These are well-known:
- IT governance
- IT controls (general computing controls, access controls, master data controls, etc.)
- data privacy
- data security
- document retention / records management
- electronic data management
- disaster recovery and business continuity
- etc.
These are primarily IT issues that have significant governance, risk management, compliance and internal control implications.
IT for GRC
There are a number of enterprise processes that aim to help keep the organization on track and operating within defined "boundaries" of conduct. Boundaries may be either mandated (laws, rules, regulations) or voluntary (corporate values, contractual obligations, internal policies).
IT for GRC is about enabling all of these processes.
This distinction will be further analyzed and elaborated by the OCEG Technology Council over the next few months.
