Information Technology Reference
In-Depth Information
governance, risk management and compliance. The higher the semantic content
of those concepts, the better the integration [7]. Although it may seem impossi-
ble to find general and meaningful concepts for the entire domain of integrated
GRC, it is better to adopt the so-called “constructive” research strategy [7].
2 Methodology
The methodology applied is divided according to the two processes of design
science research in information system,
build
and
evaluate
[16]. The build process
is composed by two stages whereas and the evaluation process is composed by
only one stage (Fig. 1).
Fig. 1.
Research Methodology
The first stage, construct definition, has two main milestones: conceptual do-
main establishment and conceptual definition within the set up boundaries estab-
lished. In this stage we have proceeded with literature study and benchmarking
of integrated GRC solutions in the market. Throughout it, we have come to
support the observations made by Racz et al. [2]: “there is basically no scientific
research on GRC as an integrated concept”, “software vendors, analysts and
consultancies are the main GRC publishers” and “software technology is the
prevailing primary topic”. Hence, gathering solid information was a hard task
due to the lack of scientific research. Also, at this stage, we began to categorize
the concepts that we will present in Sect. 3.
According to Hevner et al. [17], the results from this stage can be called con-
structs. “Constructs provide the vocabulary and symbols used to define problems
and solutions” within an outlined domain. To favour the boundary definition of
the domain, we used the design science research pattern proposed by Vaishnavi
and Kuechler [18],
building blocks
, which consists in dividing “the given complex
research problem into smaller problems that can form the building blocks for
solving the original problem”. Especially in this case, we divided the domain in
G, R and C areas so as to simplify it and the concepts involved.
In the second stage the concepts were separated according to their most ev-
ident domain. For example, risks are more likely to belong to the risk domain
(R in GRC). However, this does not imply that they could not be represented
in governance and compliance domains for they might maintain relations with
other concepts. One of the goals of this phase was to identify the concepts du-
plicated among domains. This way we could determine the integration points
