IT GRC among the most mature
Marked by a focus on operational excellence, firms with the most mature IT GRC profiles have established an integrated approach to managing risk and reward within the IT function and across the entire organization . Among these firms, senior managers in IT are employing the balanced scorecard to:
1 . Regulate reward and risk decisions impacting the organization
2 . Establish policies and objectives for IT
3 . Institute a learning and growth culture that includes continuous quality
improvement within the IT function
Within the IT function, and across legal, audit, internal controls, and business lines, the management of objectives for business reward and risk are being achieved with continuous quality improvement, control objectives, frequent measurement and reporting, common procedures, and high levels of automation, all complemented by IT service level objectives and contracts with IT vendors . Within the IT operations function, the focus is on common IT procedures, more automated controls, continuous measurement, and diligent IT change management and prevention procedures .
Marked by the use of Six Sigma among some firms and simpler Continuous Quality Improvement cycles among many others, the most mature organizations establish a focus on operational excellence within IT that reflects results back into the objectives established and improved through the use of a balanced scorecard . Among these firms, the hallmark of the approach is: Make it easy to understand, easy to implement, and continuously improved .
The Continuous Quality Improvement effort for the governance of IT and the balancing of reward and risk associated with the use of IT takes place at all levels within IT, and across the organization, among the most mature organizations .
An empirical IT GRC capability maturity model
Primary benchmark research conducted by the IT Policy Compliance Group during the past two years has resulted in a GRC Capability Maturity Model (GRC CMM) with specific practices, competencies, and capabilities associated with each maturity level . This fact-based GRC Capability Maturity Model can be used to assess current maturity levels and quantify the business outcomes associated with each maturity level, as well as identify desired business outcomes and the capabilities, practices, and competencies needed to improve results .
The scale employed for the GRC CMM borrows from prior research, including significant contributions made by ISACA and the IT Governance Institute . Against this scale, the business results, financial losses, financial risks, business disruptions, and regulatory compliance experience of more than 2,600 firms have been mapped, from worst (level 1) to best (level 5) results .
The competencies, capabilities, and practices associated with each maturity level in the GRC CMM are those of the firms with specific business results at each level . This basis for the practices, capabilities, and competencies in the GRC CCM delivers empirical insight into what is working and not working, based upon primary research and facts, not hypothesis .
Implications and analysis
The way to improve business results and to reduce risk, loss, and expense is to increase or enhance the IT GRC competencies, practices, and capabilities governing the business rewards and risks associated with the use and disposition of IT . While most organizations will need to improve results, operating at the highest maturity level may be inappropriate for some firms . For some, the desired objective may be to operate at level 4 .5 or 4 .0 on the GRC CMM maturity scale . As a result, improving the balance between business reward and risk for a specific organization is going to be a journey that must be taken relative to the industry within which it competes .
Organizational competencies
The organizational competencies implemented by the most mature firms include leadership by
IT, legal, audit and finance functions; employee training and a culture of compliance; improvements to specific practices and capabilities within IT operations; IT assurance and audit; and a continuous quality improvement effort .
Organizational competencies
• IT, legal, internal audit, and finance leadership
• Employee training and a culture
of compliance
• Improvements to IT risk assess-
ments, data protection, IT audit,
risk, and compliance practices
and capabilities
• Adjustments to spending in IT to
support needed capabilities
• A continuous quality improvement
program for IT GRC
• An integrated IT GRC program
These are the hallmarks of an integrated IT GRC program being implemented by the
most mature firms .
To know more click here 2008 Annual Report: IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial Risk
Compliance Webcasts & Videos
IT Governance, Risk and Compliance: What the best performing firms do in IT to deliver better business results and lower risk
Benchmarking IT Risk & Compliance
Marked by a focus on operational excellence, firms with the most mature IT GRC profiles have established an integrated approach to managing risk and reward within the IT function and across the entire organization . Among these firms, senior managers in IT are employing the balanced scorecard to:
1 . Regulate reward and risk decisions impacting the organization
2 . Establish policies and objectives for IT
3 . Institute a learning and growth culture that includes continuous quality
improvement within the IT function
Within the IT function, and across legal, audit, internal controls, and business lines, the management of objectives for business reward and risk are being achieved with continuous quality improvement, control objectives, frequent measurement and reporting, common procedures, and high levels of automation, all complemented by IT service level objectives and contracts with IT vendors . Within the IT operations function, the focus is on common IT procedures, more automated controls, continuous measurement, and diligent IT change management and prevention procedures .
Marked by the use of Six Sigma among some firms and simpler Continuous Quality Improvement cycles among many others, the most mature organizations establish a focus on operational excellence within IT that reflects results back into the objectives established and improved through the use of a balanced scorecard . Among these firms, the hallmark of the approach is: Make it easy to understand, easy to implement, and continuously improved .
The Continuous Quality Improvement effort for the governance of IT and the balancing of reward and risk associated with the use of IT takes place at all levels within IT, and across the organization, among the most mature organizations .
An empirical IT GRC capability maturity model
Primary benchmark research conducted by the IT Policy Compliance Group during the past two years has resulted in a GRC Capability Maturity Model (GRC CMM) with specific practices, competencies, and capabilities associated with each maturity level . This fact-based GRC Capability Maturity Model can be used to assess current maturity levels and quantify the business outcomes associated with each maturity level, as well as identify desired business outcomes and the capabilities, practices, and competencies needed to improve results .
The scale employed for the GRC CMM borrows from prior research, including significant contributions made by ISACA and the IT Governance Institute . Against this scale, the business results, financial losses, financial risks, business disruptions, and regulatory compliance experience of more than 2,600 firms have been mapped, from worst (level 1) to best (level 5) results .
The competencies, capabilities, and practices associated with each maturity level in the GRC CMM are those of the firms with specific business results at each level . This basis for the practices, capabilities, and competencies in the GRC CCM delivers empirical insight into what is working and not working, based upon primary research and facts, not hypothesis .
Implications and analysis
The way to improve business results and to reduce risk, loss, and expense is to increase or enhance the IT GRC competencies, practices, and capabilities governing the business rewards and risks associated with the use and disposition of IT . While most organizations will need to improve results, operating at the highest maturity level may be inappropriate for some firms . For some, the desired objective may be to operate at level 4 .5 or 4 .0 on the GRC CMM maturity scale . As a result, improving the balance between business reward and risk for a specific organization is going to be a journey that must be taken relative to the industry within which it competes .
Organizational competencies
The organizational competencies implemented by the most mature firms include leadership by
IT, legal, audit and finance functions; employee training and a culture of compliance; improvements to specific practices and capabilities within IT operations; IT assurance and audit; and a continuous quality improvement effort .
Organizational competencies
• IT, legal, internal audit, and finance leadership
• Employee training and a culture
of compliance
• Improvements to IT risk assess-
ments, data protection, IT audit,
risk, and compliance practices
and capabilities
• Adjustments to spending in IT to
support needed capabilities
• A continuous quality improvement
program for IT GRC
• An integrated IT GRC program
These are the hallmarks of an integrated IT GRC program being implemented by the
most mature firms .
To know more click here 2008 Annual Report: IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial Risk
Compliance Webcasts & Videos
IT Governance, Risk and Compliance: What the best performing firms do in IT to deliver better business results and lower risk
Benchmarking IT Risk & Compliance
No comments:
Post a Comment