How to Simplify Your Governance, Risk Management and Compliance Process

By Pravin Kothari  |  Posted 2010-09-13 Print this article Print

To comply with various standards and regulations, companies have traditionally adopted governance, risk management and compliance technologies in a commonly accepted maturity model. But here, Knowledge Center contributor Pravin Kothari challenges that traditional governance, risk management and compliance adoption maturity cycle and proposes a new model for governance, risk management and compliance technology adoption.

Governance, risk management and compliance (GRC) is a very broad discipline consisting of policies, compliance, enterprise risk, operational risk, governance and incidents. There is no such thing as a standard maturity model in terms of which specific function to start with and how to proceed after that.

While it is typical to see the majority of organizations starting with compliance automation, there are instances where organizations begin with risk, policy, incident or threat management. Although inconsistent, there seems to be a commonly accepted maturity model in terms of technology adoption, and its three steps go something like this:

Step No. 1: Start with process

People often say that GRC is all about process, so the design and implementation of processes should come first before even thinking about technology. This includes workflow and procedures, roles and responsibilities, and documentation requirements.

Step No. 2: Follow with process automation

Common wisdom says that once process has been implemented and the kinks have been worked out, then it's time to implement automation to make those exact processes run more efficiently. Technology people usually start with workflow, collaboration, documentation management and project management. This spurred the growth of first-generation GRC products which replaced spreadsheets and e-mail messages.

Step No. 3: Automate the control by integrating with your environment

Once manual processes have been streamlined and semiautomated, people eventually start to think about maximizing automation by integrating directly with existing applications and security infrastructure to automate data collection and testing of controls. This sets people free from much of the repetitive tasks of data gathering, correlation and testing. This is GRC nirvana. This is where IT GRC technologies enable continuous compliance and real-time risk management.

This sounds like a straightforward and perfectly logical maturity model-so what's wrong with it? This model came about when there were very little GRC technologies available. The model evolved as the technology evolved.

Pravin Kothari is founder and Chief Technology Officer at Agiliance. Pravin is responsible for product vision, product strategy and engineering at Agiliance. Pravin has over 20 years of success at bringing new products to market in information security, compliance, enterprise software, software as a service, and large-scale software infrastructure. Prior to founding Agiliance, Pravin was the founding vice president of engineering at ArcSight, where he led the product development for five years from inception to market dominance. Prior to ArcSight, Pravin was the founding chief architect at Impresse Corporation. Previously, Pravin held technical leadership positions at Verity, Attachmate, and Tata Consultancy Services. Pravin holds a Master's degree in Computer Science from the Indian Institute of Technology (IIT), Bombay. He is a Certified Information Systems Auditor (CISA), a Certified Information Systems Security Professional (CISSP) and Charter Member of TiE, a global organization dedicated to the advancement of entrepreneurship. He can be reached at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel