Académique Documents
Professionnel Documents
Culture Documents
GRC
GRC: Governance, risk management and compliance An increasingly used umbrella term that covers these three areas of enterprise activities These areas of activity are progressively being more aligned and integrated to improve enterprise performance and delivery of stakeholder needs.
GRC Definitions
GRC: GovernanceExercise of authority;
control; government; arrangement. Risk (management )Hazard; danger; peril; exposure to loss, injury, or destruction (The act or art of managing; the manner of treating, directing, carrying on, or using, for a purpose; conduct; administration; guidance; control)
Types of Governance
Different types of governance
exist:
Corporate governance Project governance Information technology governance Environmental governance Economic and financial governance
of guidance, each with similar goals but often varying terms and techniques for their achievement.
Implementing Governance
The integration of the
implementation of the GRC activities within an enterprise requires a systemic approach for reliably achieving the business goals of its stakeholders. Such approaches are typically based on enablers of various types (e.g., principles, policies, models, frameworks,
Corporate Governance of IT
ISO/IEC 38500: 2008
Corporate governance of
information technology
1.1 Scope This standard provides guiding principles for directors of
organizations (including owners, board members, directors, partners, senior executives, or similar) on the effective, efficient, and acceptable use of Information Technology (IT) within their organizations. This standard applies to the governance of management processes (and decisions) relating to the information and communication services used by an organization. These processes could be controlled by IT specialists within the organization or external service providers, or by business units within the organization.
Corporate Governance of IT
ISO/IEC 38500: 2008
(cont.)
that results in the development of products both relevant and useful to IT governance, risk, control, assurance and security professionals. ISACA developed and maintains the internationally recognised COBIT framework, helping IT professionals and enterprise leaders fulfil their IT governance responsibilities while delivering value to the business.
Risk IT
(2009)
epocs f o not u ov E i l
Audit
COBIT1 COBIT2 COBIT3
COBIT4.0/4.1
1996
1998
2000
2005/7
2012
COBIT 5 in Overview
COBIT 5 brings together the five principles that allow the enterprise to build an effective governance and management framework based on a holistic set of seven enablers that optimises information and technology investment and use for the benefit of stakeholders.
create optimal value from IT by maintaining a balance between realising benefits and optimising risk levels and resource use. COBIT 5 enables information and related technology to be governed and managed in a holistic manner for the whole enterprise, taking in the full end-to-end business and functional areas of responsibility, considering the IT-related interests of internal and external stakeholders. The COBIT 5 principles and enablers are generic and useful for enterprises of all
COBIT 5 Principles
are achieved by evaluating stakeholder needs, conditions and options; setting direction through prioritisation and decision making; and monitoring performance, compliance and progress against agreed direction and objectives (EDM). Management plans, builds, runs and monitors activities in alignment with the direction set by the governance body to achieve the enterprise objectives (PBRM). Exercising governance and management effectively in practice requires appropriately using all enablers. The COBIT process reference
Governance in COBIT 5
The COBIT 5 process reference model subdivides the IT-related practices and activities of the enterprise into two main areasgovernance and managementwith management further divided into domains of processes The GOVERNANCE domain contains five governance processes; within each process, evaluate, direct and monitor (EDM) practices are defined.
01 Ensure governance framework setting and maintenance. 02 Ensure benefits delivery. 03 Ensure risk optimisation. 04 Ensure resource optimisation. 05 Ensure stakeholder transparency.
Governance in COBIT 5
(cont.)
Source: COBIT 5: Enabling Processes, page 108. 2012 ISACA All rights reserved.
Compliance in COBIT 5
The MANAGEMENT Monitor, Evaluate and Assess domain contains a compliance focused process: MEA03 Monitor, evaluate and assess compliance with external requirements. Process Description Evaluate that IT processes and IT-supported business processes are compliant with laws, regulations and contractual requirements. Obtain assurance that the requirements have been identified and complied with, and integrate IT compliance with overall enterprise compliance. Process Purpose Statement Ensure that the enterprise is compliant with all applicable external requirements.
Source: COBIT 5: Enabling Processes, page 213. 2012 ISACA All rights reserved.
Summary
The COBIT 5 framework includes the necessary guidance to support enterprise GRC objectives and supporting activities: Governance activities related to GEIT (5 processes) Risk management processand supporting guidance for risk management across the GEIT space Compliancea specific focus on compliance activities within the framework and how they fit within the complete enterprise picture Inclusion of GRC arrangements within the business framework for GEIT helps enterprises to avoid the main issue with GRC arrangements