Category Archives: GRC

Governance Risk Management and Compliance

IT-GRC Benchmark Survey – Aberdeen Group – FREE Report (a $399 value)

Aberdeen Group, a well known research organization, is conducting a benchmark survey on IT-GRC.  The response from this survey will be the foundation of their IT-GRC report in March.
Participants who respond to the survey (15-30 minutes long) will receive a complimentary copy of the final research report by Aberdeen (a USD 399 value).

Please click on to answer the survey.

Archer Sets Its Sights On IT GRC Rival, Acquires Brabeion




Top contenders in the IT governance, risk, and compliance market merged on Tuesday as Archer Technologies announced it is acquiring Brabeion Software. Forrester projected consolidation as a key GRC market trend for 2009, and we explored the issue further for IT GRC vendors in our report, “Consolidation Looms for the IT GRC Market.”

This was a strong move for Archer, as other, larger vendors are closely eying the IT GRC space for acquisition potential. Along with the acquisition of Paisley by Thomson Reuters last month in the Enterprise GRC space, this is just the beginning of what’s to come over the next 12-18 months. The GRC market as a whole is extremely broad and ripe for growth, but it is also crowded with niche vendors. Market leaders and enormous outsiders will be eager to scoop up as much of the pie as possible, which means more deals are on the way.

via The Forrester Blog For Security & Risk Professionals.

The Forrester Blog For Security & Risk Professionals


Thomson Reuters Gets A Jump On Holiday Shopping, Acquires Paisley


Keep an eye out in the next week for Forrester’s GRC Trends 2009 report, which will take a look at how a decidedly rocky end of 2008 will impact those responsible for various aspects of corporate governance, risk management, compliance, audit, and finance… as well as the product and service firms that serve them.

One trend that we call out in the report is the impending consolidation of the GRC technology landscape, which is a top-of mind issue for many leading vendors in the space.

Wednesday, Thomson Reuters got an early start on this trend with a definitive agreement to purchase Paisley. A leader in the GRC platform and audit management markets, Paisley will be a strong addition to the company’s Tax and Accounting group.

Concern among businesses about their risk management practices and impending regulatory actions will be a major driver for growth in the GRC market, and considering this significant potential, we expect other attractive acquisition targets in the space to be scooped up over the next 12 months.

The Forrester Blog For Security & Risk Professionals

IT Management Building an IT Governance Foundation – Baseline

While organizations have similar goals such as controlling costs and achieving data consistency, IT departments across government, corporations and nonprofits operate differently. IT management needs an overarching governance model like CobiT, ITIL, CMM and Six Sigma to ensure that investments in technology generate business value and mitigate risks.

Information technology governance defines the overall structure, policies, processes and relationships necessary to provide the desired level of standardization and consistency across an IT organization. It encompasses systems, performance measures and risk management procedures, helping organizations make informed decisions about their operations and investments. While organizations have similar goals—such as controlling costs and achieving data consistency—IT departments across government, corporations and nonprofits operate differently.

Even after a rigorous focus on compliance initiatives—and the widespread acknowledgment that large-scale, complex, strategic IT projects commonly progress beyond scope and budget without due attention—standardization around IT governance models is still being sought.

When organizations are examined and the use of best-practice disciplines are polled, a number of frameworks and standards for varying aspects of IT operations are found. These frameworks typically include:

* IT Infrastructure Library (ITIL), developed by the United Kingdom’s Office of Government Commerce, focuses on service support and service delivery.

* ISO/IEC 27001 (ISO 27001) consists of a set of best practices to implement and maintain an information security program.

* AS8015-2005 is the Australian Standard for Corporate Governance of Information and Communication Technology.

* Capability Maturity Model Integration focuses on software engineering, people and implementation.

* Balanced Scorecard is a strategic planning and management system used to align business activities to the organization’s vision and strategy.

* Six Sigma is a manufacturing-based system focusing on quality assurance.

IT management needs an overarching governance model to ensure that investments in technology generate business value and mitigate associated risks. The model should also provide a common language for IT and users, enable more focused planning, and create a level of standardization, consistency and predictability.

First published in 1996, Control Objectives for Information and Related Technology (CobiT) provides a set of generally accepted best-practice objectives to help maximize the benefits derived through IT use. It further aids in developing appropriate IT governance and control in an organization. Managed by the Information Systems Audit and Control Association and its research body, the IT Governance Institute (ITGI), CobiT became the IT governance standard against which auditors measured process and control maturity in support of compliance with the Sarbanes-Oxley Act of 2002.

CobiT provides a control- and objective-based foundation upon which decisions and investments can be based. These include defining a strategic plan; defining the information architecture; acquiring the necessary hardware and software to execute a strategy; managing projects; ensuring continuous service; and monitoring the performance of the IT system.

This is achieved by providing tools to assess and measure the performance of 34 high-level processes that cover 214 control objectives, which are categorized in four domains: Plan and Organize; Acquire and Implement; Deliver and Support; and Monitor and Evaluate. By implementing processes and procedures supporting the CobiT objectives and identifying and monitoring associated controls, users and auditors will recognize greater reliability and performance throughout the enterprise.

Building IT Governance: Overcoming Challenges

Throughout IT organizations, common themes are described as areas of opportunity: improve project planning and investment; increase collaboration and information sharing; facilitate effective communication and transition across the lifecycle; control cost while providing efficient operations and support; enhance service delivery; and improve security. These themes are usually approached as individual programs or are carefully orchestrated as an overarching organizational transformation related to technology operations.

Certain areas, such as security and managing data across an enterprise, require heavy investment and monitoring. These are also areas that auditors commonly spend time scrutinizing and directing change for heightened control.

When remediation is essential, reactive solutions are typically implemented. Though necessary, these solutions can be costly and inefficient. Once a baseline is set, however, and the auditors leave, it is far more efficient for IT management to proactively design and support an improvement plan with cross-functional reach. The CobiT model can help with this.

By understanding the four domains and the underlying process areas, IT management and staff can begin communicating from a common frame of reference. Leveraging the CobiT toolkits, IT management can promote a standard set of metrics, process structures, improvement plans and self-assessment mechanisms. This allows each area to initiate, report and monitor in a similar fashion.

In almost every change-management or operational-improvement approach, stakeholder involvement is critical, yet this is often where things fall apart. Think how many project managers ask for executive stakeholder meetings to communicate issues and detailed plans. Now ask how many IT managers have enough time to devote to such detail. The answer would be “very few.”

With an understanding of CobiT and having a common approach to managing and measuring processes, IT management will have an informed understanding of the objectives to be achieved. This understanding allows IT management to focus on the actions that require their attention, enabling the program to stay on track based on meaningful risk and opportunity reviews.

From the ITGI CobiT 4.1 framework document, the four domains and their relationships are described and the related process areas listed. The relationships can help IT management focus on areas of opportunity or risk.

Plan and Organize (PO) provides direction to solution delivery (AI) and service delivery (DS); Acquire and Implement (AI) provides the solutions and passes them to be turned into services; Deliver and Support (DS) receives the solutions and makes them usable for end users; and Monitor and Evaluate (ME) monitors all processes to ensure that the direction is followed.

A governance framework is worthwhile only if it is actually used; otherwise, it becomes a waste of money and a burden to the staff. To be effective, its language must permeate regular conversations among the leadership team and find its way into dashboards and documents.

By using CobiT tools, IT management can quickly assess strengths, weaknesses and opportunities. It can then reduce costs, improve the top-line, enhance customer service, or meet compliance and regulatory reporting by balancing risk mitigation and process improvement in a proactive fashion.

Building IT Governance: Collaboration and Support

As an example, one state government’s IT strategic planning group wanted higher levels of collaboration and a stronger sense of support. The sense of buy-in across multiple agencies would strengthen appropriation requests for strategic initiatives, allowing for economies of scale, including:

  • Solutions that address and automate inter- and intra-agency business processes
  • Smaller, more focused teams to drive progress more quickly
  • More statewide, standardized technology platforms and tool sets
  • Enhanced information sharing and increased reusability
  • Lower total cost of ownership for solutions.

To achieve its goals, the state government embarked on a more collaborative planning effort, beginning with an agency director approach. This top-down model was meant to align agencies having similar business-oriented goals and challenges. Facilitated discussion and collaborative decision making identified and defined capabilities that would help alleviate challenges in support of goals that could be met through technology. This transition—from business-driven need to technology-based capability—also allowed the agency directors to communicate more effectively with the IT directors.

The transition to technology occurred when enabling capabilities, such as business intelligence, were identified. More than 50 agencies were represented and more than 100 directors, chiefs of staff, and IT leads collaborated in the process to iterate balanced objectives and identify existing and new initiatives.

The state’s intent for the strategic planning process was a set of IT-oriented priorities that support state and agency business goals and can be translated into a set of recommended projects and budgets. With the iterative, collaborative process utilized, it was essential to be sensitive to time and competing priorities. In support of the process, the state established a legislative technology committee and formalized the agency director advisory committee.

The state’s approach—developing output for the framework—was designed to facilitate discussion and move quickly toward decisions in a collaborative fashion that built support and consensus.

Looking at CobiT’s Planning and Organizing domain, the very first process area is Define a Strategic IT Plan. This satisfies the business requirement for IT to sustain or extend the strategy and governance requirements, while still being transparent about benefits, costs and risks.

Another CobiT process area, Define the IT Processes, Organization and Relationships, has several applicable objectives. These include Defining an IT Process Framework, Establishing an IT Strategy Committee and Establishing an IT Steering Committee.

The state government achieved several CobiT objectives through its planning process, which had the goal of developing a long-term strategic plan—not overtly aligning with the CobiT framework. This is a model of success that other standard and framework maturity programs can learn from.

{mospagebreak title=Building IT Governance: IT Governance Transformation

Enabling IT Governance Transformation

The steps enabling transformation—in the context of an IT governance, compliance or enterprise risk management initiative—describe a business process. Similar to any other business process, it must be documented, followed with discipline and improved with every iteration.

For a successful CobiT experience, always begin from a perspective of knowledge and leverage experienced support. Implementing an enterprise risk management, compliance or IT governance program is like any other transformation: It must have the support of a dedicated team to be successful.

Lessons taken from enabling organizational transformation hold true for an IT governance program to reduce cost and effort, while enhancing chances of success and building support across an organization. There are only so many tasks that one person or a group working part-time can push forward simultaneously.

For an IT governance effort to succeed, therefore, dedicated resources must be allocated, IT management must have a common understanding to allow for more focused decision making, and progress must not be predetermined by an arbitrary schedule, such as a quarterly earnings call.


  • Define a strategic IT plan.
  • Define the information architecture.
  • Determine the technological direction.
  • Define the IT processes, organization and relationships.
  • Manage the IT investment.
  • Communicate management aims and direction.
  • Manage IT human resources.
  • Manage quality.
  • Assess and manage IT risks.
  • Manage projects.


  • Identify automated solutions.
  • Acquire and maintain application software.
  • Acquire and maintain technology infrastructure.
  • Enable operation and use.
  • Procure IT resources.
  • Manage changes.
  • Install and accredit solutions and changes.


  • Define and manage service levels.
  • Manage third-party services.
  • Manage performance and capacity.
  • Ensure continuous service.
  • Ensure systems security.
  • Identify and allocate costs.
  • Educate and train users.
  • Manage service desk and incidents.
  • Manage the configuration.
  • Manage problems.
  • Manage data.
  • Manage the physical environment.
  • Manage operations.


  • Monitor and evaluate IT performance.
  • Monitor and evaluate internal control.
  • Ensure compliance with external requirements.
  • Provide IT governance.

Adam Nelson is director of management and IT consulting at Keane, a global IT consulting firm headquartered in San Ramon, Calif.


Inquiry Spotlight: Governance, Risk, And Compliance, Q4 2008 by Chris McClean – Forrester Research

Governance, risk, and compliance (GRC) continues to be a hot topic of interest for security and risk professionals. Between July 2007 and July 2008, Forrester’s security and risk management team received 1,798 inquiries on a variety of topics — 198 of which were from clients interested in GRC. Of the GRC-related inquiries recorded, 46% covered compliance best practices, 32% concerned GRC vendor selection, and 24% addressed risk management. Forrester doesn’t expect the focus on compliance to diminish drastically, but maturing companies are focusing more on how to manage a federated compliance program that encompasses all standards and regulations rather than managing separate initiatives for each. Inquiries about enterprise risk management and selecting comprehensive GRC management software platforms also echo the same trend toward maturity. Forrester recommends that professionals looking to adopt GRC programs begin by identifying where converging governance, risk, and compliance can provide greater efficiency and insight, and only then consider technologies that can support these benefits.

Inquiry Spotlight: Governance, Risk, And Compliance, Q4 2008 by Chris McClean – Forrester Research.

A Comprehensive & Proactive Approach to Managing Regulatory Compliance Challenges Yields Substantial Benefits – MarketWatch

A Comprehensive & Proactive Approach to Managing Regulatory Compliance Challenges Yields Substantial Benefits

Proactively Addressing Today’s Mounting Regulatory Pain-Points Results in Increased Detection of Weaknesses in Compliance Controls, Improved Accuracy of Compliance Related Information, and Decreased Number of Compliance Incidents and Breaches

Last update: 11:56 a.m. EDT Oct. 14, 2008

BOSTON, MA, Oct 14, 2008 (MARKET WIRE via COMTEX) — In the newly released benchmark report “Continuously Compliant: Ensuring Proactive, Comprehensive Compliance,” Aberdeen Group, a Harte-Hanks Company (NYSE: HHS), found that Best-in-Class organizations realized a 17% increase in the efficiency of compliance tracking and reporting as a direct result of proactively incorporating the right blend of targeted GRC and compliance enabling tools, technologies, and services into a structurally sound, holistic, and business-prioritized internal framework; an average increase more than 7.5 times greater than Laggards. To obtain a complimentary copy of the report, visit:

The purpose of this report is two-fold. First, it identifies the strategic actions, internal capabilities, technologies, and services Best-in-Class organizations are employing to transition from reactive, fragmented, and manually intensive compliance activities to proactive, comprehensive, and automated continuous compliance. Then, it provides a roadmap of actionable analysis and recommendations for companies seeking to: (1) ensure accurate and auditable compliance with all relevant governmental, industry-specific, and internally mandated regulations; (2) streamline, automate, and optimize operational processes; and (3) secure the integrity of company image and brand value.

Considered an integral part of their compliance strategies, establishing and enforcing an enterprise-wide, consistent approach to the achievement of compliance objectives allows the Best-in-Class to more effectively identify process breakdowns and inefficient controls, thus enabling valuable internal resources to be re-allocated towards core business activities. As a result, Best-in-Class companies were able to increase the detection of weaknesses in internal compliance processes and controls by 13% and improve their flexibility to adjust to changing regulatory requirements by 15%; an average increase over 3.5x greater than all other organizations.

“By fostering an ethical and compliant company culture and embracing an internal framework that emphasizes communication, accuracy of information, and collaboration across channels and roles, Best-in-Class companies allow employees to structure a work-plan and timetable that ensures compliance objectives are met within specified timeframes while providing both compliance managers and business unit heads with visibility into the status of compliance activities; facilitating dramatic improvements in both the speed and accuracy at which business-critical decisions are able to be made,” said Stephen M. Walker II, GRC specialist, Aberdeen. “Ensuring effective, efficient, and on-going compliance with external regulations while reaping internal operational benefits is dependent on pairing the right blend of targeted, scalable tools and technologies with clearly defined internal processes, controls, and organizational buy-in.”

A complimentary copy of this report is made available due in part by the following underwriters: Oracle, and SAI Global. To obtain a complimentary copy of the report, visit:

A Comprehensive & Proactive Approach to Managing Regulatory Compliance Challenges Yields Substantial Benefits – MarketWatch

Expect a Rise in Governance, Risk and Compliance Vulnerabilities in U.S. Corporations Following the Government’s $700 Billion Bailout Plan

Accounting Firm SingerLewak Expects a Rise in Governance, Risk and Compliance Vulnerabilities in U.S. Corporations Following the Government’s $700 Billion Bailout Plan

Leading California Accounting and Consulting Firm Seeks to Advise America’s Executives To Tighten Internal Controls Now

By: PR Newswire

Oct. 13, 2008 05:00 AM

LOS ANGELES, Oct. 13 /PRNewswire/ — SingerLewak, a full service accounting and management consulting firm headquartered in Los Angeles, today issued a Governance, Risk and Compliance advisory following the federal government’s authorization of the $700 billion bailout plan of the U.S. financial system. Analysts with the firm’s Enterprise Risk Management Services practice forecast that the hotly debated economic rescue of U.S. financial institutions could trigger an increase in vulnerabilities to the internal controls of public and private companies.

According to Troy Snyder, Lead Partner of SingerLewak’s Enterprise Risk Management Services practice, the current uncertainty in the markets and the global economy could directly result in a significant percentage increase of U.S. corporations facing security compromises and financial liabilities.

“With the $700 billion government bailout plan, the potential fallout could affect a company’s risk profile due to less people and smaller budgets to detect fraud. As such, inappropriate employee behavior can seriously compromise the integrity of the corporate structure,” cautioned Mr. Snyder.

Mr. Snyder further specified that among the highest concerns are the risks posed by unsettled and edgy employees whose behavior can lead to actions such as fraud, theft of sensitive proprietary data, or critical intellectual digital property, through the inappropriate use of information systems resources.

“In past times of general financial instability, it has not been uncommon to see a weakening in the internal controls of businesses struggling to survive in unfavorable market conditions,” Mr. Snyder commented. “Although initially helpful to quell investor unease, the $700 billion bailout plan has the very real potential to adversely affect the risk profile of a broad spectrum of corporations, due to workforce reductions, budgetary cutbacks and other factors known to compromise the integrity of the corporate infrastructure.”

To provide historical perspective, Mr. Snyder recalled the lack of enthusiasm that greeted Sarbanes-Oxley controls immediately following legislation mandating them in 2002.

“Internal control measurements over financial reporting systems were the focus of the Sarbanes-Oxley Act of 2002,” Mr. Snyder stated. “SOX was created to strengthen regulations for corporate governance, internal control assessment and enhanced financial disclosure, following the Enron, Tyco and WorldCom fiascos. Reluctance by many companies to implement Sarbanes-Oxley’s internal controls fully may now become evident in the form of weakened corporate systems platforms, possibly exposing the cracks in otherwise reliable financial reporting systems, information and security foundations.”

Employee Behavior Management: What Controls Need to Be Tightened:

Due to the historic reluctance of U.S. businesses to implement Sarbanes- Oxley, weaknesses can occur in the Internal Controls of any organization, necessitating some or all of the following actions:

— Fraud prevention and detection

— Strategies and safeguards to prevent employee misappropriation of

Intellectual Property

— Documentation and systems implementation to deter misstatements

— IT Security for prevention of unauthorized access via internal or

social engineering

— Loss prevention strategies to thwart financial malfeasance and asset


As a proactive response to thwart the possibility of greater risk within organizations, Bob Green, CPA.CITP, SingerLewak Enterprise Risk Management Services partner and Information Management expert, suggested corporate officers and executives begin by having an internal controls assessment and diagnostic performed.

“The first step is to evaluate the controls in place in order to reduce inappropriate employee behavior relating to the use of a company’s systems and resources,” said Mr. Green. “Limiting the possibility of theft and misuse of corporate intellectual property and other sensitive digital information by employees is essential. Our specialized Employee Behavior Management initiatives help both public and private companies mitigate risks posed by employees who may foster an ‘anything goes’ mentality during challenging economic times.”

As a professional courtesy to the business community, SingerLewak’s Enterprise Risk Management Services practice partners offer telephone briefings and seminars for executives interested in finding out more about mitigating Governance, Risk and Compliance Vulnerabilities for their organizations.

Getting the Right Tools Implemented:

Information about EBM services and how to tighten your Internal Controls and protect your business can be obtained by contacting Troy Snyder or Bob Green at 310-477-3924 or sending an e-mail to Members of the media are invited to contact Ronit Koren at (310) 948-6237 or

Accounting Firm SingerLewak Expects a Rise in Governance, Risk and Compliance Vulnerabilities in U.S. Corporations Following the Government’s $700 Billion Bailout Plan