Date post: | 18-Dec-2014 |
Category: |
Technology |
Upload: | davidblogger |
View: | 32 times |
Download: | 2 times |
A GRC Guide to Organizations
Today, the largest percent of respondents
(32%) believe risk management is considered
the most important element within their
organization’s GRC program. When asked to
forecast priorities three years into the future,
33% of respondents state risk management is
most important. Compliance declines slightly
from 27% to 24% of respondents who say it
will be most important. Governance and
privacy increase slightly in three years.
Response required the allocation of 100
points
Importance of Privacy-related issues for each GRC domains
10%
20%
30%
40%
0%
32%-33% 27%-24% 22%-23% 21%-20%Risk management Compliance Governance Privacy & data
protection
GRC program
How much of your organization’s GRC activities fall into each one of four GRC domains?
Where did your organizations GRC program orinitiatives start?
IT represents the largest area of GRC-related activities and iswhere the majority of respondents say their GRC program started
GRC activities are primarily contained
within the IT function says 44%
respondents – followed by 20% in
operations, 19% age in finance and
17% in legal.
10%
20%
30%
40%
0%
50%
60%
70%
IT function
Operations
Operations
Finance
Legal
An overwhelming majority of
respondents 63% say their o
rganization’s GRC activities started
within the IT function. Only 13% say
GRC started in legal or finance, and
12% say it started in operations.
Report on importance of privacy
within four GRC domains - 76% of
respondents say privacy is a very
important part of IT GRC activities
and 71% say it is very important to
legal GRC.
63%
12%13%13%
IT functionFinance Legal
IT G
RC
Leg
al G
RC
Op
eratio
ns
GRC
Fin
an
ce G
RC
40%
50%
60%
70%
30%
10%
20%
0%
80%
90%
100%
40%
50%
60%
70%
30%
10%
20%
0%
80%
90%
100%
What best describes the working relationships among finance, IT, operations and legal GRC functions in your organization today?
The top two barriers to achieve your organization’s GRC-related goals
Activities believed to be essential in order to meet GRC objectives or goals
Are GRC activities centralized or decentralized?
Technology is very important for GRC-related activities
28% of respondents say there
is frequent collaboration or
cooperation among GRC areas
and 56 % say they sometimes
collaborate. Finally, as an
indication that silos are
breaking down, only 12% of
respondents say they operate
in silos with little or no
collaboration.
56%
28%
12%
3%
1%
Some collaboration
Frequent collaboration
Full integration
Operate in silos
Full integration
Overall its organizations lack of
resources (52%) and the lack of
cooperation and collaboration
(44%) are the two most salient
barriers to successfully achieving
GRC-related goals. The complexity
of existing technologies (31%) and
the lack of clear leadership (20%)
are the third and fourth most
salient barriers to a success
according to respondents.
Its very important that assessing risk
(83%), monitoring compliance (63%) and
developing strategies (61%) are considered
the most essential activities in order to
meet GRC objectives or goals. GRC-related
activities considered less essential include
advising the organization’s management
(40%), responding to incidents (42%) and
training or raising awareness (43%).
Response measured using a five-point
scale from 1+2 = centralized to 4+5 =
decentralized
GRC activities are more likely to be cen-
tralized than decentralized. GRC activities
relating to governance and privacy tend to
be more centralized than activities relating
to compliance and risk management tend
to be decentralized.
The primary technology solutions
used to support GRC-related
activities are risk assessment (81
percent), policy management (75
percent) and controls assessment
(73 percent).
lack of resources
lack of cooperation and collaboration
Organizational change
lack of clear leadership
52%
31%
52%
19%
Inability to set priorities
19%15%
11%
Difficulty in hiring skilled personnelt
4%
Inability to get started (inertia)
1%
3%
Lake of organizational maturity
3%Complexity of the program
Lake of C-level support
20%
Inadequacy of existiing technologies
Complexity of existing technologies
Assessing risk
Monitoring compliance
Developing strategies
Reporting to senior management
Creating and implementing policies
Analyzing regulations
Administering program
Training and awareness
Responding to incidents
advising the organization
54%
46%
45%
52%35%
31%
27%
26%28%
23%
19%
13%
Governance
Risk mgmt
Compliance
Privacy
Centralized
Combination
Decentralized
81%
75%
73%
68%
63%
53%
42%
42%
41%
35%
29%
25%
20%
16%
Risk assessment
Policy management
Controls assessment
Incident response & management
Compliance monitoriing
Training & awareness
Records management (archive)
Document management
Regulatory monitoring
E-Discovery
Data inventory
Business process mapping
Business process analysis
Data mapping
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
www.care-web.co.uk
Three years from now (projection)Today