I.T. Governance and GRC

Is the productivity of your staff being filtered by an IT network that has performance gaps too often?  Has the performance of your IT staff been spotty too often?  Are risks being created internally and/or externally that are dipping into your IT budget too often?  An IT network runs smoothly and within governance, risk, and compliance policies when it has aligned company resources to produce enterprise objectives, and has complied with internal policies, limited its operational risk, and complied with external laws and regulations.  It’s suggested that any small to mid-tier enterprise view an IT Governance program, and governance, risk and compliance (GRC) program as necessity to achieve mature network operations; this produces operations that run reliably, at low cost and risk.

IT Governance

IT Governance is the result of identifying operating objectives clearly, creating a high-level strategy to realize them, and aligning IT operations to realize those objectives.  Internal policies are created to govern how operational processes are carried out.  An enterprise with mature processes is more likely to realize its objectives effectively and timely.  Productivity is measured through a digital balanced scorecard and scheduled manual audits.  The application of five domains from ISACA’s CGEIT is an effective framework to carry out governance of enterprise IT.  Framework of Governance, Strategic Management, Benefits Realization (supported by Value Delivery), Risk Management Optimization, Resource Optimization (supported by Performance Management).


  1. Framework of Governance. Means to govern how IT serves and adds value to the enterprise, often giving it competitive advantage.

2. Strategic Management.  A strategy to govern how IT services are aligned with the operating needs of the business to realize its objectives.

3. Benefits Realization (supported by Value Delivery).  Did your business get the benefits expected from investments to reach its goals?  Performance measures are established, progress is evaluated and reported to key stakeholders.  Value is delivered by how quickly IT responds to demands; an efficient and effective response can give the enterprise competitive advantage in the markets it serves.

4. Risk Management Optimization.  IT Risk Management is in alignment with the enterprise’s risk management framework.  Identify, analyze, mitigate, monitor, and communicate, IT-related business risk to ensure that governance of IT identifies risk promptly, lowering it to acceptable levels.

5. Resource Optimization (supported by Performance Management).  Resources in production (e.g. hard assets, HR, and finances) are managed to realize objectives.  A mature process increases productivity to work effectively and efficiently at low cost of ownership.  Performance management occurs through scheduled audits of a sampling of processes in production.


GRC (Governance, Risk Management, and Compliance).  Learn, Align, Perform, Review to realize principled performance.

Learn.  Examine and analyze context (internal and external), culture, and stakeholders to learn what the organization needs to know to establish and support objectives and strategies.

Align.  Align performance, risk and compliance objectives with strategies and decision-making criteria.  Actions and controls are aligned with context, culture and stakeholder requirements.

Perform. Application of resources to close gaps learned of.  Performance addresses threats, opportunities, and requirements by encouraging desired conduct and events by applying actions and controls (e.g. proactive, detective, and responsive).

Review. Monitor and improve the design and operating effectiveness of all actions and controls in production, including their continued alignment to objectives and strategies.  A percentage of resources in production are subjected to scheduled audits.

PM icon

IT Governance and GRC are often established through time-based projects, then monitored regularly to maintain their relevancy.  GRC is carried out effectively, efficiently and timely through software on-prem or in the cloud, pending the amount of assets to be scanned, their criticality to production, and the sensitive nature of the data they hold.  GRC applications are typically subscribed to in modules such as policy, risk and compliance, enterprise and incident modules are often added soon thereafter.

Thank you for giving this topic your time, attention and consideration; I trust there are takeaways for you to use.  If you’re interested in conducting an IT Governance and/or GRC project for your enterprise, please click Request a Consultation at the base of this page, fill out “IT Governance or GRC” in the subject line, include your email signature or of the COO’s executive assistant in the message body; I reply within 24hours to arrange an exploratory conference call. ### (Post updated 03/17/2019 from 09/10/2018).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s