We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

Manage Tomorrow's Surprises Today

Steven Minsky

What's Changing in the Approach to IT GRC?

Vote 0 Votes

Increasing cyber-hazards have been accompanied by another trend; Governance, Risk Management, and Compliance (GRC) focused on IT (referred to as IT GRC) is changing. More and more organizations have been turning to a risk-based approach.

Traditionally, IT is comprised of a variety of underlying functions. These functions include:

  • IT Asset Management, commonly used to inventory servers, computers, and other technology hardware;
  • IT Risk Management, including vulnerability and threat identification and assessment;
  • IT Application Management, used to monitor updates, complete performance reviews, and maintain security; and
  • Compliance, which allows organizations to follow applicable standards, requirements, and risks related to IT.
risk based approach IT GRCWhat's wrong with IT GRC?

The problem with a "silo'd" IT GRC approach, where each component receives an independent allocation of resources, is that it often causes a communication breakdown. When departments aren't fully in touch, they risk ineffectiveness and redundancy.

For this reason, there has been a shift in the market. Organizations looking to increase both effectiveness and efficiency are beginning to see risk as the common denominator. Thinking about IT GRC through a "risk-based lens," a lens that ERM software provides, allows risk managers to adopt a uniform process with standardized language, requirements, and scales.

A risk-based approach to IT Governance, Risk, and Compliance allows organizations to prioritize across technology functions to determine areas in need of greater assurance. The reflex for most organizations in our current IT environment is to increase spending on monitoring tools, but that strategy has created more gaps than it's closed, and studies confirm that this inefficient method of allocating resources is losing the risk-reward tradeoff and dampening revenue.

Such an approach can help determine where to effectively spend money on IT security tools, and cuts down on interdepartmental overlap by centralizing the monitoring and testing functions. Most components of IT GRC have common or related elements, meaning certain resources and information are relevant to more than one stakeholder. Fostering communication of that risk-related information enables a single IT governance and security process that is easier to monitor, costs less to maintain, and reduces liability due to human error.


To read more about the risk-based process, take a look at our "IT Risk Management" page or download the datasheet on LogicManager's risk-based IT GRC solution.

Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives