Governance, risk management and compliance (GRC) is a very broad discipline consisting of policies, compliance, enterprise risk, operational risk, governance and incidents. There is no such thing as a standard maturity model in terms of which specific function to start with and how to proceed after that.
While it is typical to see the majority of organizations starting with compliance automation, there are instances where organizations begin with risk, policy, incident or threat management. Although inconsistent, there seems to be a commonly accepted maturity model in terms of technology adoption, and its three steps go something like this:
Step No. 1: Start with process
People often say that GRC is all about process, so the design and implementation of processes should come first before even thinking about technology. This includes workflow and procedures, roles and responsibilities, and documentation requirements.
Step No. 2: Follow with process automation
Common wisdom says that once process has been implemented and the kinks have been worked out, then it's time to implement automation to make those exact processes run more efficiently. Technology people usually start with workflow, collaboration, documentation management and project management. This spurred the growth of first-generation GRC products which replaced spreadsheets and e-mail messages.
Step No. 3: Automate the control by integrating with your environment
Once manual processes have been streamlined and semiautomated, people eventually start to think about maximizing automation by integrating directly with existing applications and security infrastructure to automate data collection and testing of controls. This sets people free from much of the repetitive tasks of data gathering, correlation and testing. This is GRC nirvana. This is where IT GRC technologies enable continuous compliance and real-time risk management.
This sounds like a straightforward and perfectly logical maturity model-so what's wrong with it? This model came about when there were very little GRC technologies available. The model evolved as the technology evolved.