Large companies in regulated industries such as financial services and healthcare generate and consume reams of data about their customers, business operations, and the markets at large. Traditionally, these companies capture data in “information silos,” often with different legacy systems and formats leading to security issues. Improving data security requires major process changes, and automatically moves data management into the top of the priority list for IT spending.

The Governance and Risk Compliance market is fragmented and growing quickly so the selection of the right solutions partner can be difficult. A number of key players have entered the market or augmented their service offerings through acquisitions. These include:

  • IBM, through its acquisition of Open Pages and its business analytics capabilities;
  • Thomson Reuters, by acquiring WeComply, a compliance e-learning provider;
  • EMC’s acquisition of software leader Archer;
  • SAI Global’s acquisition of Compliance 360; and
  • British-based Wilmington Group’s acquisition of information services provider Compliance Week thereby entering the Enterprise GRC market in the United States.

GRC as a Data Security Solution 

To secure their data, companies must adopt their own Governance and Risk Compliance (GRC) Framework that clearly defines their governance, risk management, and compliance processes.

Having a GRC Framework in place enables corporate executives to respond to regulators, customers, and investors who want details about how their company identifies, manages, and controls risks to their business operations.

In today’s era of Big Data and the coincident rise of data regulation, the importance of protecting sensitive data and delivering better customer experiences grows every day. For companies in regulated industries, the treatment of data is not a strategic choice; rather it’s a mandated requirement. Myriad complex compliance and reporting issues require major process changes, and moves data management into the top of IT spending priorities.

Developing a GRC Framework involves internal corporate stakeholders including Chief Risk Officers, Chief Compliance Officers, Chief Information Security Officers, GRC domain-specific consultants, and even your internal auditors. Here is an overview of industry best practices for developing a GRC Framework for your company.

Define Governance Processes

Governance processes specify the management approach over an entire company. The processes dictate how senior management directs and controls day-to-day business operations through preset management information and control structures. These governance steps ensure that senior management receives the most accurate business information from which to make appropriate management decisions.

Here is a typical set of governance processes:

  1. Document current governance processes and risks inherent to the business operations and even their industry as a whole.
  2. Define and document Internal Controls that insure the accuracy of the company’s accounting and financial data.
  3. Assess the effectiveness of Internal Controls using an internal management assessment and an outside auditor for a follow up assessment.
  4. Certify governance processes using an internal auditor, GRC consulting firm, or outside auditor.
  5. Remediate any issues found during the assessment of the governance processes.

Governance processes must be formally documented, approved, and placed into a secure document management system for version control purposes.

Define Risk Management Processes

Risk management processes govern how companies identify, manage, and contain risks that are inherent to their business operations. This is a major concern for any company that operates in a regulated market. Defining risk management processes requires input from internal departments and most often from a GRC specialty consulting firm and/or an auditor.

Here is a high-level process for defining risk management processes:

  1. Identify and categorize risk through upfront and ongoing analysis. Risks are specific to a company and include such things as workplace accidents, legal risks, project risks, and financial risks.
  2. Assessing risk is often loosely defined and focuses on the expected consequences of such risks to business operations and the company’s fiscal health.
  3. Mitigate risk by focusing on how the business can reduce risks in their business operations.
  4. Contain risk by focusing on changes in technology and processes that can remove a risk item from being a concern to the business.

Companies need to document, approve, and place Risk Management processes into a secure document management system for version control purposes.

Define Compliance Processes

Compliance processes within an overall GRC Framework ensure that business operations comply with program regulations. Defining compliance processes can take on many forms and requires cooperation and collaboration among the company’s process owners.

Here is a high level process for defining compliance processes:

  1. Define and document current Internal Controls to keep the business in compliance with outside regulations.
  2. Assess the effectiveness of Internal Controls through internal testing that involves an internal auditor, outside GRC consulting firm, and an internal team.
  3. Define and certify compliance processes.
  4. Remediate Issues that the team discovers when defining and certifying compliance processes.

Compliance processes should be formally documented, approved, and placed into a secure document management system for version control purposes.

Value of an Integrated GRC Approach

It’s possible to support multiple compliance programs with a minimum of redundancy through using an integrated GRC approach to achieve compliance. An integrated GRC approach includes standard GRC and technologies with control through an information technology framework. Typical technologies in an integrated GRC approach include business intelligence, real time analytics, and Enterprise Resource Planning (ERP) systems.


Developing an effective GRC Framework for your company requires the marshaling of multiple internal corporate resources and most often an outside GRC domain specific consulting firm and a third party auditor.

George M. Shea, a FOCUS Partner and Information Technology Team Leader, has over 30 years of broad IT industry experience in acquisitions and divestitures, corporate finance, business development, strategic planning, marketing, sales, and operations.