As has been discussed elsewhere in the blogosphere (including here) recently, the Burton Group has come down hard on the concept of GRC and has even gone so far as to consider GRC to be an incorrect term and has gone so far as to refer to it as a “four letter word”.
The thrust of this discussion was basically that:
- GRC is not one concept, but rather three separate ones and that “Governance, Risk management, and Compliance” should all be treated separately.
- This market is maturing, but not yet mature.
Well, I agree with both points, but I don’t believe that this makes GRC a 4 letter word, if anything, I think it heightens the need for those in the IAM space to pay even more attention to this area.
GRC is, to coin a phrase, a meta-concept, that defines the first level of Risk Management in the IT and related spaces, including IdM. It’s hard to imagine any enterprise level application where these interlinking concepts are not critical to the application, the enterprise, and the organization as a whole.
Let’s face it, these concepts are all interrelated. in order to Manage Risk (the “central” part of GRC as defined above, one must have Governance, that is rules that set down how and under what circumstances information is to be accessed. This could include software tools to establish enterprise IAM access roles and rules and determine SoD issues.
The other side of the equation, Compliance, refers to the ability to document and trace how Governance occurs. Whether this is through hard or soft copy records is immaterial, however in the world we live in today, we know that tracking electronic whether they be directories, database logs, event logs or other means is key to attaining this objective.
This brings me to the next point. GRC is a relatively new field when considered against directories, provisioning and other current trends in IAM. For anyone to assume that today’s GRC technologies are the final word is pure folly. As GRC continues to mature, as it must in a world of new and evolving standards. We will see GRC related functionality roll up into all enterprise level applications as both internal and external feature sets.
So rather than casting GRC in the corner and calling it names, I’m looking forward to observing and participating in its evolution in the IT and IAM space.