Redirecting GRC Resource » Blog Archive » Kuppinger Cole GRC Reference Architecture

Kuppinger Cole GRC Reference Architecture

Posted by Nicolas on Oct 30, 2009

Kuppinger Cole, a German analyst company focusing primarily on identity management, has recently published a reference architecture for GRC. The report was composed by Prof. Dr. Sachar Paulus, who formerly held the position of SAP’s vice president of product security. Due to its strong  security / IDM background Kuppinger Cole promotes a rather technology-oriented view of GRC. They go as far as putting “security” on the same level as governance, risk management and compliance. Consequently the report claims that GRC should not cover financial risk; while the reference architecture proposed “allows to cover all [types of risks], typically the operational risks (and within them, the IT risks) will be at the center of GRC activities.”

The 14-page report breaks down GRC into four core phases: requirements modeling, status investigation, situation improvement activities and crisis & incident management. These four phases are the thread that is followed throughout the report, when the involved processes are described in more detail. The report is clearly written from a practicioner’s point of view, mainly building on his own experience while renouncing to deliver empirical evidence. It may be useful as a high-level guideline for holistic GRC, giving a lot of hints on what to consider in GRC projects. Notes on the organisational setup, the managerial view and GRC software round up an interesting report that comes at a cheap price.

“A GRC Reference Architecture” can be purchased from Kuppinger Cole at

Leave a Reply

You must be logged in to post a comment.