Aligning IT GRC, enterprise GRC still a challenge
When the term GRC comes up, people interpret it quite differently.
For IT managers, the term is essentially synonymous with IT GRC. For those outside of the IT realm, the term takes on different connotations that have more to do with core operational functions. It's fair to say that IT GRC managers have sometimes felt they've been given short shrift by other units.
Dark Reading notes that "when IT risk management is siloed off from the rest of the enterprise risk management program, it becomes difficult to offer that peace of mind when communication is confused because the language that IT risk managers speak doesn't jibe with the language financial risk managers speak, for example."
This issue has cropped up time and again, usually as part of a call for a more holistic approach to risk management and GRC. Obviously it makes sense for IT GRC to be an intertwined aspect of an overall GRC program. But that remains an elusive objective. In the end, the best bet for IT GRC managers is to demonstrate how they can add value to the overall process in ways that lead to better performance. For example, they might show how data generated by their IT-oriented processes might create data useful for strategic planning. This is much harder said than done.
- here's the article
IT Security and GRC should go hand in hand