In 2008, Governance, Risk, and Compliance (GRC) spending will increase an estimated 7.4% to $32 Billion. Sarbanes-Oxley Act (SOX) related spending will increase by roughly 2% over last year to $6.2 Billion (AMR Research, 2008). These numbers seem indicative of a shift in mindset for companies. Many of what were before considered SOX initiatives are now probably considered GRC.
Many factors are driving the GRC market. Executives and Directors are being held to high standards of accountability due to regulations on self-assessment and safeguarding of assets. Costs of traditional compliance and risk mitigation tactics are very high. Corporations are pushing to lower costs of safeguarding assets on an ongoing basis. And for efficiency, business processes are maturing towards a risk-oriented approach.
The concept of Identity GRC ultimately encompasses many of the technologies companies have been implementing over the last few years to address SOX. User provisioning, single sign on, directory services/consolidation, and password self-service are all methods that companies are currently employing to address security as well as operational efficiency.
During the course of using these processes and tools, certain limitations have surfaced which have exposed the need for further functionality: certification of access rights; segregation of duties policy monitoring; control framework automation; and role-based account management. All of these features have become part of the GRC umbrella, which is beginning to look much like the following:
These concepts apply across all enterprise systems and any other systems that companies deem financially significant. Most organizations have tens and sometimes even hundreds of systems that fall into this category.
Enterprise GRC Service Offerings
Achieving success with a GRC initiative does not have to require a high utilization of resources, long timelines, and mega-budgets. Using repeatable processes, we help our customers achieve measurable success in incremental stages so to provide those vital “quick wins”. Over the years we have refined our flexible service offerings to maximize quality and predictability. Our end-to-end Service Offerings enable us to support our customers from defining the vision all the way to operational support.
GRC Roadmap
- Review IT governance strategy and internal control framework
- Document and Analyze effectiveness and coverage of current toolsets
- Perform GAP analysis
- Identify short-list of vendors matching customer needs and objectives
- Coordinate vendor-led demonstrations for key use cases
- Develop vendor recommendation based on fitness of demonstrations
- Perform in-depth analysis applicable to the product(s)
- Document approach and perform tasks such as workflow, connector configuration, risk modeling, role mining, identity correlation, and other necessary steps for product configuration
- Integrate necessary systems and processes per requirements
- Deploy Customer hardware in Partners' Services Division datacenter
- Enable toll-free assistance, process monitoring, error notifications, file shares, etc per scope of agreement
- Maintain patches, add systems, and deploy upgrades
Getting Started
A well planned GRC strategy will ensure that a company’s IT assets are secured and processes are streamlined. Furthermore, this strategy will put in place the necessary elements for compliance with regulations under which a company is held accountable. Planning for GRC will often require a joint effort between application owners, internal auditors, compliance officers, and IT security professionals. They will ultimately determine business objectives that aren’t being met allowing the owner of the GRC initiative to prioritize the needs. This prioritization provides the direction for the first steps of a GRC program. In today’s environment, the majority of companies are approaching GRC from either a “Governance” or “Compliance” focus. Regardless of the impetus, it is important to understand the drivers and what options exist for a given set of objectives.
Partners Consulting
Because of Partners’ many years of experience as one of the country's leading corporations focused on enterprise user account management, we have gained a unique perspective on solutions that pertain to the security, management, and regulations surrounding user accounts and their access rights. Partners Consulting has a rich background in addressing these challenges. We have played an integral role in overcoming these challenges through many permutations of software bundles and architectural models.