Study identifies key success factors for IT governance, risk and compliance management

New research from Enterprise Management Associates (EMA) shows that IT governance, risk and compliance (IT GRC) management is increasingly linked to the overall governance of an organization. The study, led by Scott Crawford, EMA research director, looked at the challenges facing IT GRC, the factors that contribute to successful IT GRC deployments and the critical role that IT service management best practices play in IT GRC success.

"There are continued examples, led by the Societe Generale scandal, that illustrate how a lack of IT governance and risk programs can lead to a lack of overall business controls that ultimately results in near-catastrophic outcomes," said Crawford. "IT GRC has become a very loaded term, with incredibly high expectations. Yet, in many cases, it is still loosely defined let alone well understood. This limits the ability of senior management to support IT GRC initiatives, resulting in greater exposure to risk and hampering the ability of IT to deliver tangible business value."

The survey, completed by 224 IT and non-IT professionals, calls attention to major issues associated with IT GRC management within organizations.

According to the study findings, 13 percent of those polled said their organization does not even have a strategy in place to assure the confidentiality of sensitive information. In addition, 29 percent of all respondents indicated that the board of directors and senior executives do not properly support IT GRC initiatives.

The study also highlights the high value of adopting IT Service Management best practices such as the IT Infrastructure Library (ITIL), which was embraced by 55 percent of all respondents. When EMA divided individuals who took the survey into three groups based on the level of maturity of their IT GRC management, those in the ‘high performer’ category consistently showed greater maturity in domains of IT Service Management directly related to IT GRC priorities, as well as more positive outcomes in multiple aspects of IT risk control.

"Our findings show that those who performed best in meeting the many challenges of IT GRC were those who most recognized the need for best practices in IT Service Management, such as configuration control, event and incident response and sensitivity to business priorities," said Crawford.

Not surprisingly, high performers had more positive outcomes overall and they reported fewer disruptive security events than the medium and low performers, with 64 percent of the high performers indicating that fewer than 10 percent of security incidents result in disruptions to IT performance, availability or resource integrity in the past year. In addition, high performers had more positive outcomes when it came to the success of IT projects, IT change success and percentages of unplanned work.

When looking at the overall success of IT GRC implementations, high performers cited the following factors:

Configuration management:
- Ninety four percent of high performers define configuration control processes, ensure that defined processes are followed and enforce consequences for deviations.
- Ninety one percent of high performers monitor the IT environment for changes and use monitoring information to enforce change control.
- High performers also showed higher maturity than medium or low performers in the adoption of best practices in configuration-related IT management, such as the Configuration Management Database (CMDB).

Access Monitoring and Business Risk Control:
- The majority of high performers (77 percent) monitor the internal IT environment for anomalous behavior or other indications of potential security risks before a suspicion exists.
- Seventy seven percent of high performers monitor IT access and use
for indications of fraud and other business risks before a suspicion exists.

Other areas in which high performers show greater maturity in IT GRC include:
- Security management
- Event management and incident response
- Business continuity planning and management
- Realism in defining risk management processes with increasing interest in detailed visibility into activity in IT.

The new EMA Research Report ‘IT Governance, Risk and Compliance Management in the Real World’ is available now. To purchase the full report, contact EMA at 303.543.9500 or sales@enterprisemanagement.com

•Date: 29th May 2008• Region: US/World •Type: Article •Topic: Operational risk
Rate this article or make a comment - click here