Information Technology Reference
In-Depth Information
between the three areas. Also, by having concepts divided into smaller domains,
it became simpler to define the relations between them.
Still at this stage, three conceptual models were built, one for each area, G, R
and C (Sects. 3.1, 3.2 and 3.3). In Sect. 3.4 we present the domain of integrated
GRC with concepts and relations adjusted to the integrated context.
Even though little is known about how to validate conceptual models effec-
tively and eciently [13], in the final stage, we proceeded with the evaluation
of the final conceptual model, by mapping the relations between concepts with
the eight components of the GRC Capability Model presented by OCEG [15].
We used this mapping to evaluate the quality of the conceptual model accord-
ing to its syntactic and semantic quality, using the Conceptual Model Quality
Framework proposed by Moody et al. [19].
3 Conceptual Model
Information integration is one of the core problems in cooperative information
systems [20]. Also, GRC functionalities have shown to overlap themselves [15,21]
making integration dicult. Governance, risk and compliance as separate con-
cepts are nothing new [1] and many researchers have addressed each area. The
proposed model describes GRC functionalities and information that are consid-
ered to be within the scope of each of the three areas (G, R and C).
The components of the model.
Before we begin describing each of the three
scopes, a proper explanation concerning the model is required. The model has
three types of concepts, represented by different colours and different shapes.
The rectangular concepts, coloured orange, stand for what we propose to be the
GRC main functionalities:
1. Audit Management
2. Policy Management
3. Issues Management
4. Risk Management
We have chosen the four functionalities for three reasons. First, a study per-
formed by Racz et al. [4] concluded that Risk Management, Policy Management
and Audit Management were mentioned seven times by GRC vendors as GRC
functionalities. Issues Management was mentioned six times. Second, we decided
to propose these four core functionalities to maintain the conceptual model sim-
ple without withdrawing GRC capabilities. Finally, although there are diverse
opinions, the benchmarking performed supports these functionalities. The im-
portance and role of each one will be described in the next sections.
Additionally, rectangular concepts, coloured grey (Reporting, Dashboards and
Monitoring), also represent imperative functionalities to access and deliver im-
portant information in real-time through an automated manner. It is arguable
that the four main functionalities presented implicitly cover reporting, dash-
boards and monitoring but we opted to include them since they represent essen-
tial functions for GRC to perform in an adequate, ecient and effective basis [22].
