RedirectingRedirecting GRC Resource

Download the new Forrester Wave Report: Enterprise Governance, Risk, And Compliance Platforms, Q4 2011

Posted by Manuel on Dec 19, 2011

The report evaluates the newest market trends and provides 13 vendor profiles. To get the report for free, follow the link and fill out the form: After submitting the form, you have instant access to the PDF.

Collected GRC publications available as book

Posted by Nicolas on Nov 30, 2011

The six first-author publications of Nicolas Racz are now available in consolidated form, including an extended introduction to GRC. The book can be purchased from Amazon [Buy from Amazon].

Gartner Magic Quadrant for Enterprise Governance, Risk, and Compliance Platforms

Posted by Manuel on Sep 9, 2011

Follow the link below and fill out the registration form with your data and get the Gartner Magic Quadrant for Enterprise Governance, Risk, and Compliance Platforms for free. Find out in which state the EGRC platform market currently is and what the key trends are.

Link to the registration form for the Gartner Magic Quadrant for Enterprise Governance, Risk, and Compliance Platforms:

Research publication: Exploratory study on GRC IS value drivers

Posted by Manuel on Apr 30, 2011

Information technology (IT) has a tremendous impact on the discipline of accounting by introducing new ways of retrieving and processing information about performance deviations and control effectiveness. This paper explores the role of IT for managing organizational controls by analyzing value drivers for particular accounting information systems that commonly run under the label of Governance, Risk Management, and Compliance (GRC IS). We apply a grounded theory approach to structure the value drivers of GRC IS into a research framework. In order to understand the impact of IT, we relate the GRC IS value drivers to control theories. Practical implications include understanding GRC IS benefits beyond compliance and providing clear strategic reasoning for GRC IS depending on the individual company’s situation. Research implications include the fact that integrating IT into the context of accounting leaves several unsolved yet promising issues in theory which future research might address. This paper is the first to use the lens of organizational control theories on Governance, Risk Management, and Compliance information systems and establishes a potentially fruitful research agenda for GRC IS as a highly relevant topic for information systems research.

This research will be presented at ECIS 2011: Wiesche, M., Schermann, M., and Krcmar, H. 2011. “Exploring the Contribution of Information Technology to Governance, Risk, and Compliance (Grc) Initiatives,” in: 19th European Conference on Information Systems (ECIS). Helsinki, Finland. You can access the article here.

Research publication: GRC vendor survey presented at ACIS 2010

Posted by Nicolas on Dec 25, 2010

The Australasian Conference on Information Systems (ACIS), primary conference in the region, in 2010 featured a GRC track with several interesting contributions . We used the opportunity to present our latest research, carried out in collaboration with the University of Erlangen-Nuremberg. In a survey among 48 large enterprises we identified the status quo of GRC and GRC software. Implications for research were derived. You can download the presentation here.

Research publication: Questioning the need for separate IT risk management frameworks

Posted by Nicolas on Sep 30, 2010

On Tuesday we presented our latest research paper “Questioning the need for separate IT risk management frameworks” at the Informatik 2010 Conference in Leipzig, Germany. The paper challenges the use of IT risk management  frameworks such as ISO/IEC 27005 and ISACA Risk IT that are to be employed in parallel to an organisation’s enterprise risk management activities. Instead we suggest to enhance ERM frameworks with IT specifics and use the resulting framework for IT risk. That way the organisation-wide use of synergies is more likely, and a common understanding of risk management activities is furthered.

In our study, a mapping of ISACA Risk IT processes to COSO ERM processes showed that the Risk IT framework does not add value; it does not treat IT specifics in a way that would surpass the contents of COSO ERM. The presentation can be downloaded from

Research publication: An integrated process model for IT GRC management

Posted by Nicolas on Aug 18, 2010

At the Ninth International Baltic Conference for Databases and Information Systems in Riga last month we presented our latest publication. ISO/IEC 38500, COSO ERM and a compliance process model were merged in a process model for integrated IT GRC management. The conceptual paper describes the selection of standards and best practices, their touching points, the two-fold relation of IT governance to IT risk management and IT compliance, and finally the integrated IT GRC management process model:

Process Model for Integrated IT GRC Management

The whole paper was published as:
Racz, N., Weippl, E. & Seufert, A. (2010): A process model for integrated IT governance, risk, and compliance management. In: J. Barzdins & M. Kirikova (eds.), Databases and Information Systems. Proceedings of the Ninth International Baltic Conference, Baltic DB&IS 2010, pp. 155-170.

Research publication: A frame of reference for research of integrated GRC

Posted by Nicolas on Jun 3, 2010

This week we presented the publication that is the foundation of the research carried out by GRC Resource at the 11th IFIP TC 6/ TC 11 International Conference in Linz, Austria. The publication’s core is a single-phrase GRC definition derived from a literature review and validated with GRC professionals. The definition was translated into a frame of reference that can be applied by researchers when approaching GRC.

The definition reads as follows: “GRC is an integrated, holistics approach to organisation-wide governance, risk and compliance ensuring that an organisation acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people, thereby improving efficiency and effectiveness.”

More on the definition and the frame of reference will soon be published on

The work was published in the conference proceedings:
Racz, N., Weippl, E. & Seufert, A. (2010): A frame of reference for research of integrated GRC. In: Bart De Decker, Ingrid Schaumüller-Bichl (Eds.), Communications and Multimedia Security, 11th IFIP TC 6/TC 11 International Conference, CMS 2010 Proceedings. Berlin: Springer, pp. 106-117.

Call for papers for GRC workshop

Posted by Nicolas on Mar 4, 2010

Finally the research community starts to consider the integrated approach to GRC. The Munich University of Technology organises the workshop “Risk Management, Compliance and Governance for resilient Information Systems” as part of the “Informatik 2010″ conference next autumn. Papers can be handed in until April 25.

The purpose of the workshop is to introduce and discuss current research trends in the fields of IT-Risk Management, IT-Compliance, and IT-Governance. Furthermore, it aims at identifying starting-points for methods and tools needed for the development and the operation of resilient Information Systems. The workshop addresses researchers and practitioners with academic interests in the field of Risk Management, Compliance, and Governance.

More information can be found here:

Kuppinger Cole GRC Reference Architecture

Posted by Nicolas on Oct 30, 2009

Kuppinger Cole, a German analyst company focusing primarily on identity management, has recently published a reference architecture for GRC. The report was composed by Prof. Dr. Sachar Paulus, who formerly held the position of SAP’s vice president of product security. Due to its strong  security / IDM background Kuppinger Cole promotes a rather technology-oriented view of GRC. They go as far as putting “security” on the same level as governance, risk management and compliance. Consequently the report claims that GRC should not cover financial risk; while the reference architecture proposed “allows to cover all [types of risks], typically the operational risks (and within them, the IT risks) will be at the center of GRC activities.”

The 14-page report breaks down GRC into four core phases: requirements modeling, status investigation, situation improvement activities and crisis & incident management. These four phases are the thread that is followed throughout the report, when the involved processes are described in more detail. The report is clearly written from a practicioner’s point of view, mainly building on his own experience while renouncing to deliver empirical evidence. It may be useful as a high-level guideline for holistic GRC, giving a lot of hints on what to consider in GRC projects. Notes on the organisational setup, the managerial view and GRC software round up an interesting report that comes at a cheap price.

“A GRC Reference Architecture” can be purchased from Kuppinger Cole at