Information Technology Reference
In-Depth Information
For this reason, they are explicitly represented. We have distinguished these four
from the key functions, because they represent horizontal functionalities avail-
able through the three areas.
The concepts, in a blue round shape, represent information that is managed
by these functionalities or are presented as a responsibility of the G, R or C
areas. As stated before, G, R and C areas overlap [15,21], and some information
is managed by different areas simultaneously. One way to observe the points
of integration of GRC is through the information that is used collaboratively
between governance, risk management and compliance.
Next, we address governance, risk and compliance separately and in more
detail.
3.1 Governance
OCEG states that “governance is the culture, values, mission, structure, layers
of policies, processes and measures by which organizations are directed and con-
trolled” [15]. According to this definition, one of the most important responsibil-
ities of governance is to determine guidelines, which are translated into policies
composed by culture, values, mission, objectives and supported by procedures
(see Fig. 2).
Policy Management, a key functionality, can be said to be an important ac-
tivity with direct governance responsibility. Policy management must “develop,
record, organize, modify, maintain, communicate, and administer organizational
policies and procedures in response to new or changing requirements or princi-
ples, and correlate them to one another” [23].
Policies play an essential role at GRC, because they represent the board and
top management's point of view on how the organization should be driven. It
can be said that governance defines an interface, and the rest of the organization
implements it to operate according with what is established. Once agreed upon,
policies have to be transmitted across the organization. It is also important that
they be reviewed and preserved. It is all part of the policy life cycle that must
be set up (Fig. 2).
Since governance defines how the organization should perform, describing
through policies what is acceptable and unacceptable, compliance is the area
responsible for inspecting and proving that they are: adequate, being implement
and followed. In Sect. 3.3 we will address the influence of compliance in policy
management in more detail.
Governance is also responsible for risk and compliance oversight, as well as
evaluating performance against enterprise objectives [21]. “The board acts as
an active monitor for shareholders' and stakeholders' benefit, with the goal of
Board oversight to make management accountable, and thus more effective” [15].
Accordingly, governance should be able to understand and foresee the organiza-
tion's vulnerabilities and, hence make decisions to reduce them.
Also, governance should distribute power to provide insight and intelligence,
at the right time, so that the right people in the management can make risk-aware
decisions in accordance with key business objectives. Risk-awareness is possible
