The six first-author publications of Nicolas Racz are now available in consolidated form, including an extended introduction to GRC. The book can be purchased from Amazon [Buy from Amazon].
The Australasian Conference on Information Systems (ACIS), primary conference in the region, in 2010 featured a GRC track with several interesting contributions . We used the opportunity to present our latest research, carried out in collaboration with the University of Erlangen-Nuremberg. In a survey among 48 large enterprises we identified the status quo of GRC and GRC software. Implications for research were derived. You can download the presentation here.
Kuppinger Cole, a German analyst company focusing primarily on identity management, has recently published a reference architecture for GRC. The report was composed by Prof. Dr. Sachar Paulus, who formerly held the position of SAP’s vice president of product security. Due to its strong security / IDM background Kuppinger Cole promotes a rather technology-oriented view of GRC. They go as far as putting “security” on the same level as governance, risk management and compliance. Consequently the report claims that GRC should not cover financial risk; while the reference architecture proposed “allows to cover all [types of risks], typically the operational risks (and within them, the IT risks) will be at the center of GRC activities.”
The 14-page report breaks down GRC into four core phases: requirements modeling, status investigation, situation improvement activities and crisis & incident management. These four phases are the thread that is followed throughout the report, when the involved processes are described in more detail. The report is clearly written from a practicioner’s point of view, mainly building on his own experience while renouncing to deliver empirical evidence. It may be useful as a high-level guideline for holistic GRC, giving a lot of hints on what to consider in GRC projects. Notes on the organisational setup, the managerial view and GRC software round up an interesting report that comes at a cheap price.
“A GRC Reference Architecture” can be purchased from Kuppinger Cole at http://www.kuppingercole.com/report/sp_overview_repo_grc_arch_051009.
Next in our weekly publication of answers to a recent survey is the global business consulting and internal audit firm Protiviti. Get informed about their perspective on GRC and their product portfolio.
The recently published “Forrester Wave: Enterprise Governance, Risk, and Compliance Platforms, Q3 2009” has led to interesting discussions in the GRC community following a severe critique of Forrester’s methodology by Michael Rasmussen. The analyst, who originally developed and wrote the Wave report himself, calls the “wave” a “ripple” and attacks his former employer severely. Build your own opinion by reading the blog comment and the reactions it caused.
MetricStream is the second vendor presented in our weekly survey answer series.
Over the last months we conducted a small vendor survey to find out more about software companies’ idea of GRC, their products and future developments. From now on we are going to publish the answers of a new company each week. You can find them in the GRC Technology / Software Vendors category. The first vendor presented is CA.
CA’s Christopher Fox explains why investments in GRC pay off even in times of a recession.
Check out Michael Rasmussen’s new blog entry on the largest GRC software vendor. He is giving away some interesting facts on GRC market size and definition and comes up with an answer that might surprise you.
Aberdeen Group’s Stephen Walker recently moderated a podcast featuring prominent participants from three major IT-GRC vendors: Chris Fox (Senior Principal of GRC at CA), John DiMaria (Director of Professional Services at eFortresses) and Roland Mosimann (CEO of Aline) discussed best practices in Enterprise IT-GRC. You can listen to the podcast after free registration at ITGRCForum.com or download the transcript directly from GRC Resource. ITGRCForum.com also offers the opportunity to ask questions to the participants of the panel discussion.