IT GRC maturity covered by this research report is based upon the following:
1 .Primary research results conducted with thousands of organizations
2 . The practices and capabilities directly related to business rewards and risks
experienced by these firms
3 .The practices and capabilities associated with each level of reward and risk
The result is a maturity matrix that is based upon empirical evidence
The descriptions of the maturity levels for GRC in this report are similar to and borrow
from much previous research, including contributions made by supporting members
of the IT Policy Compliance Group, including the Computer Security Institute, the
Institute of Internal Auditors, ISACA, the IT Governance Institute, Protiviti, and
Symantec.
However, after the scale and descriptions of the maturity levels, the findings contained
in this report differ markedly from available maturity models in three principal ways,
as follows:
1 .The findings are focused exclusively on IT GRC .
2 . The maturity described by the report is directly linked to financial results and risks
from primary research benchmarks .
3 . The practices and capabilities are directly related to business outcomes at each
maturity level, based on primary research benchmarks .
There are many different maturity models available . Most provide a way to assess practices and capabilities needed to improve results for a specific purpose, along with a roadmap for evaluating current and desired future states . The maturity relationships contained in this report rely on benchmark findings and publicly available data for business outcomes, financial risks, and business risk indicators throughout the entire spectrum, from one end to the other . If a result, a practice or a capability is not grounded in the reality of actual experience, it is not contained in the report or the GRC CMM .
There are direct relationships between the maturity of IT GRC practices and capabilities, and the business results—positive and negative—being experienced by organizations . The primary IT GRC metrics tracked by the benchmarks include customer satisfaction, customer retention, revenue, profit, financial loss and the occurrence of such losses after the loss or theft of customer data, business disruptions leading to financial losses that are directly related to IT service disruptions, and the number of regulatory compliance deficiencies that must be corrected to pass audit and that are costing the organization more, or less, money to sustain regulatory audit results . Results from the benchmarks consistently show a normal distribution of results for these metrics, from the worst business results to the best, from the worst financial losses to the best, from the most business disruptions to the least, and from the most difficulty with regulatory audit to the least . Consistently, within and across all of the benchmarks, the population with the worst results is 20 percent of the population of firms participating in the benchmarks, and those firms with the best results number 12 percent of the population . In between these two ends of the spectrum lies a majority of the population, 68 percent, with normative results: between the worst and the best .
This consistently normal distribution of results is accompanied by consistent research
findings related to a number of factors, including:
• Actions being taken to improve results
• Competencies and capabilities to take these actions
• Practices implemented by organizations to take these actions
The consistency in business outcomes, aligned with consistent findings in the actions, competencies, capabilities, and practices forms the basis for the GRC CMM being covered in this annual report, focusing on IT GRC maturity .
Across more than 2,600 separate organizations, the findings show that roughly two in ten organizations are operating with worst business results and the highest business risks . The findings also show that a little more than one in ten organizations are posting the best business results and the least financial risk . In between these two are a majority of firms, with neither the best business results nor the worst financial losses.
Each of the metrics measured by the benchmarks shows results that are consistently
repeated, including business results, financial risk from data loss or theft, business dis-
ruptions, and the experience that organizations are having with regulatory compliance .
Business results: Customers, revenues, expenses, and profits The most recent benchmarks measure the impact that improvements to data protection, regulatory compliance, and IT service level resiliency have had on business results, including customer satisfaction, customer retention, revenue, expenses, and profits . Tracked on a 10-point scale and measured by percentage changes, the results show the same population distribution:
• Twenty percent of organizations have an overall score of 6 .37 for these five business
results, on the high-end of "no impact ."
• Sixty-eight percent of firms have an overall score of 6 .86 for these five business
results, on the low-end of a "slight increase ."
• Twelve percent of organizations have an overall score of 7 .40, in the middle of the
range for "slight increase ."
The raw scores clearly show that firms with better IT GRC results are enjoying much better results when it comes to satisfying customers, retaining customers, and growing revenues and profits than all other organizations.
Although there is a slight improvement among all firms, the results show clearly that the most mature firms are experiencing much better business results . Unfortunately, the average scores across these performance domains do not show the gulf separating the results between the organizations with the least and most mature IT GRC profiles . The percentage changes and relative scores provide much greater insight into the contribution to business results being achieved by firms with the most mature IT GRC practices .
Business results: Relative to the norm Whether normalized to the mean scores for each business metric or measured directly from percentage changes that occurred for organizations, the change in value for customer satisfaction, customer retention, revenues, expenses, and profits shows a swing that ranges from nearly negative 10 percent on the low side among the least mature to nearly positive 10 percent on the high side being experienced by most mature firms,
matching raw scores from other portions of the benchmarks .
Although posting results that are on the high end of "no impact," the majority of firms operating as least mature are experiencing results that are 7 .4 percent less than that of the firms operating at the IT GRC norm for all business metrics .
The most mature firms, those posting results in the middle of "slight increase" for all business metrics, are experiencing results that are averaging 7 .6 percent more than the firms operating at the norm for all business metrics .
The majority of firms—those operating at IT GRC norm—are not experiencing the more
dramatic differences in revenues, expenses, profits, customer satisfaction, or customer
retention being posted by the firms with the most, or least, mature IT GRC profiles,
practices, competencies, and capabilities .
To know more details
2008 Annual Report: IT Governance, Risk and Compliance - Improving Business Results and Mitigating Financial RiskCompliance Webcast and VideoIT Governance, Risk and Compliance: What the best performing firms do in IT to deliver better business results and lower riskBenchmarking IT Risk & Compliance