Frequently Asked Questions about Governance, Risk, and Compliance (GRC) Systems

Last reviewed by the EDUCAUSE IT GRC Advisory Committee and the HEISC GRC Working Group: June 2016

What is a Governance, Risk, and Compliance (GRC) system?

Governance, Risk, and Compliance (GRC) systems are integrated applications that typically offer "modules" that help automate these basic business processes. Some of the kinds of processes they can help organize are:

Why would I want to invest in a GRC system?

Basically, a GRC system allows you to pull together policy, compliance, risk, remediation, data archiving, and reporting information all into one tool.

A GRC system can help in inventorying and classifying data, and in documenting and monitoring the required security controls. Such a tool can help aid in a more efficient and effective approach to privacy and information security, organization-wide; and ultimately can help lessen the burden of the end-user and/or information technology staff.

Numerous compliance obligations, as required by law, regulation and contractual agreements, require institutions to monitor activity through questionnaires and surveys pertaining to information security and privacy, as well as other risk-related areas. Web-based questionnaires based around compliance requirements can be built and distributed using a GRC tool, rather than having a variety of manual processes in place – no more spreadsheets emailed back and forth!

Most GRC solutions offer cross-referenced security controls related to compliance and other standards and frameworks, allowing the end-user to answer one question which will trigger or skip another based on the answer. Rather than filling out numerous disconnected spreadsheets asking similar questions, the end-user or IT staff can be prompted to verify previously entered and saved information at predetermined intervals, in order to satisfy overlapping compliance requirements. The tracking of information assets can be managed and data on endpoints can be maintained in a more efficient and effective process.

The use of one portal for all governance, risk and compliance needs supports a collaborative approach between internal offices such as audit, information privacy, security and compliance, to name a few. Data entered and used for one aspect of the governance, risk, and compliance processes can be accessed and re-used for another aspect without requiring end-users or IT staff to re-enter their responses. This is particularly effective when used for the full life-cycle of GRC processes: managing inventories of assets, compiling inventories of compliance obligations, recording answers to self-assessments of assets against compliance obligations, automatically monitoring compliance (for some types of controls such as firewall settings and workstation settings), identifying gaps in compliance, applying risk assessment variables to those gaps, choosing the highest risk gaps to address, and tracking remediation plans to reduce those risks, archiving data, and providing reporting. Considering that these processes should be taking place at regular intervals such as annually or bi-annually, automating them through an integrated, enterprise-wide GRC can make this daunting task feasible, efficient, and effective.

Many GRC systems offer designated and dynamic dashboards to allow units to self-manage their own compliance and risk, with oversight from respective internal authorities. Through reporting features, senior leadership also has the option to quickly assess the overall compliance posture of the institution, identify gaps, measure risk, do trend analysis, and use this information when strategic planning and allocating resources.

Is a GRC system only used by Information Technology?

Although many GRC systems on the market today only encompass what is called IT-GRC, or started out only offering an IT-GRC solution, these systems are being designed for and used by many other areas of the business today, including enterprise policy management, enterprise risk management, compliance tracking for areas such as Environmental Health & Safety, and even for management of Internal Audit processes. As you can imagine, if you find a way to automate some basic processes that IT needs to manage, you could then USE those processes in any number of business areas.

This is one reason why the GRC market can be so confusing! Some organizations will purchase and use a GRC tool for only one or a few purposes/business needs (such as IT, or risk assessment), and others will use it for a number of different business needs. Some will use it only within one administrative structure or unit, while others will use it enterprise-wide.

So, do I want an IT-GRC or an Enterprise GRC product?

It depends! Here are some hints:

Keep in mind that the marketplace is constantly evolving, so do not be too quick to discount solutions that others or even the vendor have labeled as one type or the other. Focus on the functionality you need and which vendors provide it.

What modules do I need?

There is no standardization for naming of the "modules" provided by GRC vendors, so it can be challenging to figure out what module or modules offered by each vendor will meet your specific business needs. Also, the name of the vendor's module might be very specific to a business purpose, but actually the module could be used by any other business purposes that have the same underlying basic process needs.

So for example your compliance staff might use a tool's "Compliance" module to manage compliance with OSHA, while your IT folks might use the same module, or one called "IT-GRC," to implement an ISO 27001 or 2 framework. Your business continuity folks might use a "Policy Management" module to develop and track BC plans, using the routing to have someone review the plans submitted, while Human Resources might use it to draft, review and issue the institution's HR policies. And your Risk Management folks might use a "Risk Management" module to assess risk in any number of areas, including IT. Or maybe just your IT folks use the Risk Management module to assess IT risk.

How do I differentiate between all the various GRC vendors and products?

There are a number of ways to differentiate between the products:

What should I do first if I am interested in procuring a GRC system?

First, identify what business functions will use the system. Clearly define and consider what processes you want to improve, and what kind of improvements you are seeking. This is KEY to being able to narrow down the large pool of available GRC systems!

Although some corporations purchase all modules for use in nearly all business areas in a true enterprise GRC implementation, it is hard to imagine a college or university so centralized that it would decide EVERYONE will use it for ALL governance, risk, and compliance activity. More realistically, there will be a champion (maybe this is you) who will be leading the initiative to obtain a GRC system for his or her own business function. Depending on the culture at your institution, consider inquiring as to whether other potential GRC stakeholders would be interested in joining with you on the initiative. This will help you determine the scope of your project and what modules you are most interested in procuring.

Possible GRC Stakeholders may include:

This process of determining what enterprise business functions will use the system, and for what processes, can take a lot of time up front, but it is well worth it to ensure that you choose a product that will fit you and your institution. Otherwise, you may eliminate GRC products that fit your realistic needs well, because you are specifying far more functionality (which always comes with more complexity) than what you will ever need.

Perhaps in ten years, we will have seen other college and university business units besides IT buying in and working together to implement a truly enterprise governance, risk, and compliance solution, but we aren't seeing that yet. Thus, today you will see the higher education institutions profiled here focusing on various different aspects of a GRC implementation.

What are some of the challenges others have experienced in their implementations, that I should be sure to consider? What have others done to address these challenges?
Higher Education Institutions Currently Investing in GRC Systems
Web Resources and Articles

Higher Education Resources

Additional Resources

 


(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).