GRC isn’t dead

31.07.2008 by Martin Kuppinger

Today I’ve seen a blog entry which claimed that GRC is dead. That reminded me about the closing keynote of our European Identity Conference 2009 where I had a discussion with Paul Heiden of BHOLD Company about GRC. Paul claimed that GRC is just dealing with FUD (fear, uncertainty, doubt) and that there is no real business value in this.

So – is the market for GRC solutions (Governance, Risk Management, Compliance) dead before it really blossomed?

Yes, if GRC is limited to auditing, with focus on some dashboards and some information extraction for auditors.

No, if GRC is understood as something which goes well beyond this and isn’t limited to a narrow one-way-road. And that is how we understand the GRC market and how we have defined this market segment in our GRC Market Report 2008.

There are some real value propositions for GRC solutions, beyond “avoiding penalties” as the classical negative inhibitor:

On the lowest level, one standardized approach to GRC issues tends to be more efficient than many point solutions.
Much more important is the ability to not only audit but control – Enterprise Authorization Management (or Entitlement Management) is one of the key elements of GRC solutions, providing business control for the access to IT resources.
This is, by the way, much more efficient than the granular, isolated management of access controls on lower levels. A relatively small number of business roles and rules usually covers a significant part of all access controls on lower levels in the infrastructure, down to the system level. These lower level controls can be derived, with some added exceptions.
The probably most important aspect is that GRC done right enables a more efficient management, focused on exceptions. Defining and measuring risks provides this ability.

From our view, GRC has to be understood as an initiative which is at the core of Business-IT alignment. GRC has the potential to fulfill these (today in most cases unfulfilled) promises of building a link between business and IT.

Posted in CIO agenda, GRC, Risk Management | No comments

Key Risk Indicators between Business and IT

29.04.2008 by Martin Kuppinger

Key Risk Indicators (KRIs) are metrics for Risk. Most of the metrics discussed today focus on either pure business aspects or, with IT and Identity Risk Management, on technical aspects. How long does it take to provision accounts in different systems? How many orphaned accounts do you have in different directories? …

But: There is another layer of KRIs which has to be monitored. For example: How long does it take until an organizational change is known to the provisioning system? The provisioning process might be extremly fast – if it isn’t started, it is still far too slow.

Thus, I propose to define four layers of KRIs:

Business KRIs
Business-IT KRIs which measure the interaction of Business and IT
High level IT KRIs like the orphaned accounts or the performance of provisioning processes
System level IT KRIs for specific aspects of the single systems

That maps perfectly to my three layer view of Identity Management, with the GRC layer (Business to IT), the provisioning layer (High level IT), and the system level. KRIs on different levels can be combined for a complete view on risks. That is inevitable because, like mentioned above, there might be a low risk on one level but the overall risk might be still high.

In general, using KRIs is an interesting approach not only to know about risks but to measure and improve your organization – and not only IT.

Posted in GRC, Risk Management | No comments

« Newer posts

top

Services


	Categories Access Governance Access Management Application Security Infrastructure APT Attestation Big Data BSM market Business Service Management BYOD CIO agenda Cloud Context based authorization Data leakage prevention Database Security Directory Services Dynamic Authorization Management eGovernment eID cards/ePassports Endpoint Security Enterprise Entitlements Enterprise Systems Federation GRC IAM market IAM vision Identity 2.0 Identity Fraud Identity Management Identity Services Information Rights Management Information Security IT accounting IT Business Alignment IT Service Management IT strategy License and contract management Life Management Platforms Managed Services Mobile Security Network Access Protection Personalization Privacy Privileged Account Management Provisioning Risk Management Role Management SaaS SAP Security Single Sign-on Smart Grid SOA Social networks Software Architecture Strong authentication System lifecycle management Uncategorized User Centric IAM Versatile authentication Virtual Directory Services Virtualization VRM Archives May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 August 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 Blogroll Audit Trail (Approva) Beteo Blog Bob Griffin, RSA Doubleslash Blog Kim Cameron’s Identity Blog Marcus Lasance's blog Matt Flynn’s Identity Blog Norman Marks of SAP BO GRC

Subscription


	Enter your email address: Delivered by FeedBurner

© 2012 Martin Kuppinger, KuppingerCole