Vendors must be more clear, concise and realistic about IT GRC solutions
BOULDER, Colo., June 19, 2008 – Enterprise Management Associates (EMA), has released a new EMA Advisory Note, IT GRC – Real or Not?, that helps clarify recent buzz, mounting frustration and rampant confusion that threatens to undermine the growing need to manage IT risk at a strategic level. Based on findings from his recent research into real-world IT governance, risk management and compliance, EMA research director Scott Crawford describes how a new wave of contrarian naysayers are now challenging GRC itself, and IT GRC in particular.
“As compliance mandates continue to proliferate with no end in sight and IT risks and threats continue to flourish, the terms GRC and IT GRC have prospered. The result is that these terms have now reached their maximum buzz level,” says Crawford. “With hype at an all-time high, we’re now seeing the inevitable backlash arising from the abuse of these well-meaning concepts.”
Primarily, the new EMA Advisory Note illustrates how IT governance and the management of risk and compliance in and by IT is, in fact, not a tool or technology alone. When EMA asked real-world practitioners to offer their definition of IT GRC, their answers often centered on “people and process” more than anything else. “Turning process into a strategic asset” was one of the most arresting definitions offered. In other words, IT GRC as understood by practicing professionals resembles effective IT Service Management (ITSM) in support of proactive risk control.
For those vendors who have placed their bets on calling their technology “GRC management” or “IT GRC management,” the GRC backlash means a showdown. “These must become clearer – and more realistic – about the value they deliver, and what it is they actually do,” say Crawford.
In most cases, Crawford and his team see “compliance automation” as the outcome. He says seeing tools in this light makes them more recognizable as part of a larger trend toward IT process automation. However, in order to maintain relevance, these tools must now clearly articulate their value and adapt to changing perceptions, or face the reality that an acronym does not necessarily make a market.
Does the GRC backlash mean that GRC or IT GRC are going away? “Not at all,” says Crawford. “At least not the realities of governance, risk management or compliance, corporately as well as in IT. These trends would not have emerged at all had the business itself been more proactive in managing a wide range of risks – still a major concern in a declining economy, where some businesses may increase their risk appetite even more just to survive.”
What seems likely is that vendors leveraging the buzz of GRC will be forced to clarify exactly what they deliver. The role of established technologies and processes will be called out – as EMA research shows – with emerging technologies either fading from prominence or becoming better defined as they mature. In the mean time, a progression that began some years ago seems likely to continue: compliance became what security was; risk management became what compliance was. “In the last year, GRC became all of these to some extent. ‘Compliance automation’ may well be next,” says Crawford.
About Enterprise Management Associates
Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst and consulting firm dedicated to the IT management market. The firm provides IT vendors and enterprise IT professionals with objective insight into the real-world business value of long-established and emerging technologies, ranging from security, storage and IT Service Management (ITSM) to the Configuration Management Database (CMDB), virtualization and service-oriented architecture (SOA). Even with its rapid growth, EMA has never lost sight of the client, and continues to offer personalized support and convenient access to its analysts. For more information on the firm’s extensive library of IT management research, free online IT Management Solutions Center and IT consulting offerings, visit www.www.enterprisemanagement.com.