Conference PaperPDF Available

A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC)


Abstract and Figures

Governance, Risk and Compliance (GRC) is an emerging topic in the business and information technology world. However to this day the concept behind the acronym has neither been adequately researched, nor is there a common understanding among professionals. The research at hand provides a frame of reference for research of integrated GRC that was derived from the first scientifically grounded definition of the term. By means of a literature review the authors merge observations, an analysis of existing definitions and results from prior surveys in the derivation of a single-phrase definition. The definition is evaluated and improved through a survey among GRC professionals. Finally a frame of reference for GRC research is constructed.
Content may be subject to copyright.
A Frame of Reference for Research of Integrated
Governance, Risk & Compliance (GRC)
Nicolas Racz1, Edgar Weippl1, Andreas Seufert2
1 TU Vienna, Institute for Software Technology and Interactive Systems, Favoritenstr. 9-11,
1040 Vienna, Austria
{racz, eweippl}
2 Steinbeis Hochschule Berlin, Institut für Business Intelligence, Gürtelstr. 29A/30,
10247 Berlin, Germany
Abstract. Governance, Risk and Compliance (GRC) is an emerging topic in the
business and information technology world. However to this day the concept
behind the acronym has neither been adequately researched, nor is there a
common understanding among professionals. The research at hand provides a
frame of reference for research of integrated GRC that was derived from the
first scientifically grounded definition of the term. By means of a literature
review the authors merge observations, an analysis of existing definitions and
results from prior surveys in the derivation of a single-phrase definition. The
definition is evaluated and improved through a survey among GRC
professionals. Finally a frame of reference for GRC research is constructed.
Keywords: governance, risk, compliance, GRC, integrated, definition
1 Introduction and motivation
The acronym “GRC” (governance, risk and compliance) has rapidly penetrated the
business community over the last years. It has made its way into software labels,
marketing slides and department names in global enterprises. In the early days of
GRC, PricewaterhouseCoopers [1] noted: “In itself GRC is not new. As individual
issues, governance, risk management and compliance have always been fundamental
concerns of business and its leaders. What is new is an emerging perception of GRC
as an integrated set of concepts that, when applied holistically within an organisation,
can add significant value and provide competitive advantage.” In the authors‟ opinion
this emerging perception contrary to the acronym itself is not well-established. In
business as well as in research the awareness of the concept of integrated GRC is
rather low. People are struggling to describe the idea behind the term. “Definitions of
GRC are as varied as they are fluid” [2] to a degree that it was even recommended to
avoid definitional debates [3]. This is partly owed to the lack of a scientifically
grounded definition; instead software vendors and consultants publish definitions that
suit their products and services. We could throw GRC into the corner of buzzing
acronyms if market reports and surveys were not attributing a growing importance of
GRC in the future [4] and an already strong impact today. In 2008 about 40 billion
US-dollars were spent on services, technology and content related to GRC [5]. The
business network LinkedIn lists close to 4,000 GRC professionals. Do they really
work in a blurred, intangible domain? Researchers and professionals in IS security
view GRC as a means to draw the attention of management to information security
and to make its benefits understandable and tangible for business people.
This research was carried out in order to develop a frame of reference that supports
GRC research in general and the creation of reference models for integrated GRC
according to the process model for an empirically grounded reference model
construction [6] in specific. The frame construction goes hand in hand with the
development of a single-phrase definition of GRC. Both items may be used as a
starting point by researchers when approaching the topic in a structured, scientific
manner. Our paper will help to shed light on what we talk about when we talk about
GRC. After all we do not forever want to treat GRC “like a large black box: a
mysterious container full of improved processes and software for automation” [7].
2 Research methodology
The methodology applied to carry out this research consists of four stages.
Fig. 1. Research methodology
The first stage is a review of GRC publications following the classifications of
Fettke [8] for reviews in business informatics. Its properties are as follows:
Fig. 2: Publication review properties (based on Fettke 2006)
Immediately striking a reader of GRC-related publications is the massive number
of topics mentioned. Numerous methodologies such as business rules management,
business process management, or enterprise content management are as present as
processes such as auditing, planning and control. Seen as separate topics, corporate
governance, risk management and compliance alone are vast areas impossible to
grasp in a single literature review. Since we wanted to identify the meaning of GRC
as a whole and not that of its fragments alone, we restricted the review to publications
that explicitly mention all three topics as in “governance, risk (management) and
compliance” or “GRC”.
Publications were found using the search engines of WISO, EBSCO, ACM, IEEE
Xplore, SpringerLink, Emerald, Google, the Vienna University of Technology‟s and
Ludwigshafen University of Applied Sciences libraries, and through manual
browsing on relevant websites. From the findings only those results were chosen that
fulfilled the three criteria of sufficient length, sufficient degree of product-
independent information and text-based format. Eventually 107 sources published
between 2004 and 2009 made it to the final list. They were analysed using
mathematical-statistical and natural-language methods. The exact methodology
applied is case-specific for each observation. It is therefore presented later in this
document together with the respective observations.
In a second stage the observations, the analysis of existing definitions and the
results of two related surveys were used in the derivation of a single-phrase working
definition of integrated GRC.
In a third stage an anonymous online survey was conducted to evaluate and
improve the working definition. We posted the survey in GRC expert groups of the
business networks XING and LinkedIn. Eventually 131 GRC professionals took part.
They responded to four questions: (i) a rating of the definition on a scale from 10
(best) to 1 (worst) with the option to refuse a ranking if they felt that a single-phrase
definition of GRC generally would not make sense; (ii) an optional free text comment
to provide feedback; (iii) the type of organisation the respondent is working for and
(iv) the respondent‟s GRC focus.
The participants constitute a cross-section of GRC professionals. 42% work in
GRC consulting, 18% for GRC software vendors, 16% focus on GRC in their own
organisation, 11% are auditors and 5% each work for research institutions or as
freelancers. 4% work for other types of organisations. Participants‟ primary interests
in GRC are GRC processes without technology focus (29%) followed by GRC
technology (26%), compliance (19%), risk management (18%), and corporate
governance (4%). The remaining 5% do not primarily focus on any of these topics.
The fourth stage of the research project is the construction of a frame of reference
for research of integrated GRC based on the short-definition. Following the process
model for empirically grounded reference model construction [6], the frame is a
condensed high-level abstraction of a future reference model, created to support
navigation within the problem domain of GRC. As proposed by Schlagheck [9] the
frame of reference is developed early in parallel with the problem definition helping
to scope GRC modelling and other research projects, to identify single model
elements and to guarantee completeness.
3 Literature review results
The results of the literature review key observations, the analysis of definitions
and prior surveys will be described in the following.
3.1 Literature review key observations
O1: There is basically no scientific research on GRC as an integrated concept.
While lots of research exists on the “G”, the “R”, and the “C” as separate topics, the
potential integration moves under the radar of scientific research. Of the 107 sources
identified a mere two deserve the label “research paper” [10, 11]. Both publications
only provide short definitions of governance, risk management and compliance
separately. O1 demonstrates the lack of research participation in GRC.
O2: Software vendors, analysts and consultancies are the main GRC publishers.
We categorised our sources by authorship, distinguishing software vendors, analysts,
consultancies, scientific research personnel and independent experts. Co-authorship
was applied in four cases. For interviews only the role of the interviewee was
considered. The review shows that GRC software vendors are the most active group
providing GRC publications (40), closely followed by analysts (34) and consultancies
(31). Together these three parties participated in 94% of the selected GRC
publications. GRC is obviously dominated and driven by the business community.
O3: Software technology is the prevailing primary topic. When publications are
dominated by software vendors followed by consultancies that help implementing
technologies, it is not surprising that software technology is the prevailing topic in
these works. 57 publications (53%) primarily treat technology. This finding
underlines the importance of technology as an enabler of GRC.
O4: Regulatory compliance is the main driver of GRC, challenged by risk
management. We listed all reasons explicitly named as GRC drivers in publications.
43 out of 107 publications do not mention any GRC drivers. Of the remaining 64, 25
(39%) consider the increasing number of regulations to drive GRC. 18 (28%) name
increased risk, 10 (16%) the potential for cost reductions, 8 (12,5%) mention the
increased complexity of business due to market dynamics, globalisation and other
factors. According to a study of AMR Research, risk management is about to surpass
compliance as top GRC priority. “No longer just a U.S.-centric concern tied to
compliance with 2002's Sarbanes-Oxley Act and other specific regulations, GRC has
evolved into a set of practices to manage and mitigate the full array of risks
organizations face” [12]. Comparing the drivers mentioned in 2007 and in 2008, we
found that our review did not significantly support the AMR findings. References to
risk as a driver hardly changed (23,5% in 2007; 24% in 2008), while the emphasis of
regulations declined from 41% to 34%.
O5: ERM is an important methodology within GRC. Inspired by the article “Is
ERM GRC? Or Vice Versa?” [13] we wanted to find out how often enterprise risk
management (ERM) or its synonyms were mentioned in GRC publications.
References to ordinary risk management were not accounted for. 58 publications
(54%) mentioned ERM. The enterprise-wide perspective of risk seems to go hand-in-
hand with GRC.
3.2 Literature review GRC definitions
One in three of the analysed publications offers a GRC definition. Two thirds of these
definitions explain what is understood by GRC as an integrated concept. The
remaining third disregards that the total might be more than the sum of its parts and
confines itself to defining the three terms of governance, risk management and
compliance separately.
Fig. 3: GRC definitions in publications
Omitting the two journals steadily publishing GRC articles directed towards
readers familiar with the term “Business Trends Quarterly” (BTQ) and “GRC360°”
the percentage of GRC definitions rises to almost fifty percent. References to
definitions made before are basically nonexistent; sometimes several different
definitions are provided by a single organisation.
A separate definition of the three terms of governance, risk management and
compliance is made in 12% of the publications and in 20% when leaving away BTQ
and GRC360°. The exact meaning of the topics themselves is a study of its own and
cannot be discussed in this document. According to [14] it might not even be
purposeful: “To be clear, there are substantially more processes than governance, risk
and compliance playing critical roles in GRC. But 13-letter acronyms rarely catch
on.” Still some of the authors follow the “G,R,C approach” in their definitions [15,
16, 17]. However the larger percentage of comprehensive GRC definitions in
publications lets us conclude that the idea of an integrated concept is more widely
supported. GRC is more than an umbrella term for governance, risk and compliance.
Looking at definitions of the integrated concept, some authors hold a technology-
oriented view. Banham [13] cites a consultant stating that in contrast to ERM “GRC is
more a technology platform for illuminating governance and compliance risk. It‟s
useful to think about GRC in terms of an IT platform. [...] The technology helps you
centralize and organize your policies, procedures, documentation requirements, risk
assessment analyses and other content [for] dashboard reporting.”
On the contrary KPMG [18] insists that “[GRC] is more than a software solution; it
is a strategic discipline. GRC is a continuous process that is embedded into the culture
of an organization and governs how management identifies and protects against
relevant risks, monitors and evaluates the effectiveness of internal controls, and
responds and improves operations based on learned insights.” This view of GRC as an
enterprise-wide management concept is supported by [1, 19, 20]. Corporate Integrity
[21] goes as far as calling GRC a “philosophy of business” that “permeates the
organization: its oversight, its processes, its culture.” Mitchell [10] speaks of
“principled performance”, which is picked up by Hovis [22]: “Integrated GRC is a
cross-functional and extended enterprise capability that, when implemented, creates
„principled performance.‟ An integrated GRC effort is a transforming initiative,
affecting how the enterprise will function both in its strategic orientation and in its
operational focus.”
The Open Compliance & Ethics Group [23] published an exhaustive definition that
was reviewed by professionals from a variety of organisations: “GRC is a system of
people, processes and technology that enables an organization to understand and
prioritize stakeholder expectations; set business objectives congruent with values and
risks; achieve objectives while optimizing risk profile and protecting value; operate
within legal, contractual, internal, social and ethical boundaries; provide relevant,
reliable and timely information to appropriate stakeholders; and enable the
measurement of the performance and effectiveness of the system.”
Switzer [16] emphasises integration: “We like to use the three letter term „G-r-C‟
as a symbol for the need to integrate these efforts with each other and within business
operations.” Process-oriented perspectives emphasising improvements through
integrated GRC are taken by [24] and [25], who describe GRC as a set of “initiatives
[...] which look across [...] risk and control functions holistically and seek to enhance
their efficiency and effectiveness.”
From these definitions we concluded that (i) GRC is an integrated, holistic
management concept for the topics involved, (ii) that technology is a key but
GRC is more than just technology, and (iii) that integrated GRC is supposed to
improve the performance of processes.
3.3 Literature review previous surveys of the understanding of GRC
The opinion of GRC professionals has previously been identified by two surveys. The
first survey of over 400 organisations led to the following result: “The vast majority
of respondents (75%) view GRC as „a coordinated program involving people,
processes and technology.‟ More than half (54%) viewed GRC as a valuable concept,
representing the future of how GRC concepts will be addressed. Almost all
respondents view GRC as a process rather than a product or a fad (only 3%) [...].” [4].
This shows a more deliberate idea of GRC than the results gathered by Approva [26]
one year earlier. In this survey, 87.1% of over 200 respondents consider GRC a “term
used to describe a group of internal policies & processes designed to manage risk”,
while hardly anybody opted that GRC was “just another acronym” (3.3%), the “name
of a software category” (2.4%) or the “name of a functional department in my
company” (3.3%). Only 3.8% of respondents were unfamiliar with the term.
4 Derivation and evaluation of a GRC working definition
The multitude of GRC definitions makes it difficult to find a consensus; to a certain
extent the definitions overlap, but some treat aspects that are disregarded in others.
For our definition the 75% majority of the Kahn survey claiming that people,
processes and technology are involved was taken as a starting point. Furthermore the
concept of “integrated GRC, after ruling out the fragmented approach above, was
followed. Incorporating the observations and the three conclusions drawn from the
definitions analysis the integrated, holistic management concept, technology being a
key (but not the only one), and GRC being supposed to improve the performance of
processes we derived the following preliminary single-phrase definition: ‘GRC is an
integrated, holistic approach to corporate governance, risk and compliance ensuring
that an organisation acts in accordance with its self-imposed rules, its risk appetite
and external regulations through the alignment of strategy, processes, technology and
people, thereby leveraging synergies and driving performance.’
The survey conducted in order to validate and improve the definition brought about
interesting results. Only three out of 131 respondents opted to answer “no rating – I
think there should not be a one-sentence definition of GRC”. The other 128
participants attributed the definition an average of 7.5 on a 10-point-scale. 78% rated
it 7 or higher. Only 12% chose a rating of four or lower the same percentage of
respondents that supported the definition unconditionally, awarding a ten point rating.
Fig. 4. Distribution of ratings of the single-phrase GRC definition
We interpret the result as a strong backing of our definition. Still we looked at the
74 comments provided by participants in order to introduce minor improvements. 18
respondents criticised that the definition was overly long and complex. 13 and 8
respondents, respectively, did not like the wording “leveraging synergies” or “driving
performance”. We replaced the terms with “improving efficiency and effectiveness”,
which includes the use of synergies and improved performance but is more general.
“Self-imposed rules” was criticised as being clumsy; we replaced it with “internal
policies”. Several respondents asked for ethics to be included as companies such as
Enron and Worldcom were fully compliant but still went bankrupt due to unethical
actions. “Corporate” was replaced with “organisation-wide” as the former could
imply a restriction of GRC to the C-level of a company. Lastly we moved “risk
appetite” in front of “internal policies and external regulations” because participants
felt the definition was too compliance-centric. The final definition is as follows:
‘GRC is an integrated, holistic approach to organisation-wide governance,
risk and compliance ensuring that an organisation acts ethically correct and in
accordance with its risk appetite, internal policies and external regulations
through the alignment of strategy, processes, technology and people, thereby
improving efficiency and effectiveness.’
5 Construction of a frame of reference for integrated GRC
The definition was incorporated into a high-level frame of reference highlighting the
key elements that should be examined when researching the integrated GRC concept.
Fig. 5. Frame of reference for integrated GRC
Governance, Risk Management and Compliance are the core subjects of GRC.
Each of the subjects consists of the four basic components of GRC: strategy,
processes, technology and people. The organisation‟s risk appetite, its internal
policies and external regulations constitute the rules of GRC. The subjects, their
components and rules are now to be merged in an integrated, holistic and
organisation-wide (the three main characteristics of GRC) manner aligned with the
(business) operations that are managed and supported through GRC. In applying this
approach, organisations long to achieve the objectives of GRC: ethically correct
behaviour, and improved efficiency and effectiveness of any of the elements involved.
Of course the components strategy, processes, people and technology are not
exclusive to GRC. All operations of an organisation are constituted by these
components. For the procure-to-pay cycle, for example, there is a strategy that sets
and controls targets; there are the process steps from procurement to payment, and
procurement staff as well as transactional and information systems enabling the cycle.
GRC supports the management and the execution of these operations; e.g. through
governance specifications for the handling of goods, segregation of duties across the
procure-to-pay processes, or technology to monitor risks in the supply chain.
For information systems research another sub-category of GRC is of special
interest: GRC processes that support the information technology operations of an
organisation [27]. These GRC processes are commonly referred to as “IT GRC” [28].
Fig. 6. GRC and IT GRC in the business and IT context
IT GRC deals primarily with issues of information security, IT compliance, IT and
data governance, IT risk management and IT revision [29]. It is aligned with the
overall GRC activities, the IT operations and indirectly with the organisation‟s
(business) operations.
A universal analysis of GRC would have to consider all the components of the
above figure. Analysis the separation of a whole into its component parts helps a
researcher to focus on certain aspects. For example a research project could be
restricted to examining IT GRC technology, such as IT security software and systems
monitoring tools. A more comprehensive project might include the whole of IT GRC
and its integration with the IT components. A researcher who does not want to dive
into the depths of technology might focus on the integration of GRC processes with a
specific business process. Sometimes it is difficult to draw a clear line between the
four boxes; there are even intentional overlaps. For instance in most cases GRC
technology is information technology. Depending on the perspective of the
researcher, classifications can be made as it suits the research project best. For
scoping it is just important that relevant components are not left away.
Once the components in scope have been chosen, the same can be done for the
rules that are to be considered. The rules of GRC are basically defined by compliance
requirements, the risk management process and the organisation‟s governance
codices. No matter if they are stated in regulations, internal policies or target
agreements, in the end they are all normative or restrictive instructions that may
potentially be represented and used in an integrated manner. The large number of
rules might require a researcher to focus on certain rules and leave others away (e.g.
include the COBIT framework but ignore ISO 27001). In any case it should be
examined in how far the GRC characteristics (integrated, holistic, organisation-wide)
are present in the subject of research.
Eventually GRC research should investigate the impact of integrated GRC in their
models or subjects of research; is there an improvement in the objectives of ethically
correct behaviour, efficiency and effectiveness? Effects may arise in any of the GRC
subjects, all operations, IT, GRC and IT-GRC subcomponents, and in the handling of
the GRC rules.
A short example will help to understand how this frame of reference supports
scoping and approaching a GRC research project. Assuming a researcher wants to
examine an organisation‟s GRC approach and its effects on the procure-to-pay cycle,
excluding IT-GRC. The researcher needs to consider the following points:
Is the organisation‟s approach to governance, risk management and compliance
integrated, holistic and organisation-wide across the four components of
strategy, processes, people and technology?
What does the procure-to-pay cycle look like across the four components?
Which rules affect the procure-to-pay cycle? Which of these rules need to be
considered in the research project? Does the organisation treat these rules in an
integrated, holistic and organisation-wide manner?
Do the GRC specific components interact with their “general” counterparts? E.g.
does the GRC strategy influence the setting of targets for the order-to-cash
cycle? Are automated controls implemented in the order-to-cash application and
are they linked to GRC systems?
Are the objectives of GRC realised? Is adherence to the rules in the order-to-
cash cycle efficiently and effectively ensured? Are there side effects such as
improved efficiency and effectiveness of the procure-to-pay performance (e.g.
lower cost, improved goods quality)? Is non-ethical behaviour prevented?
Naturally these questions may be complemented by specific questions relevant to
the respective research project. Orientation along the frame of reference helps to
create a high-level process model to structure the research.
Fig. 7. Exemplary process model for integrated GRC research
6 Discussion
Admittedly, putting the complexity of GRC into a single phrase is provocative. One
sentence cannot catch all inherent notions. However, in contrast to other definitions,
the definition presented here considers the commonalities and the focus of the whole
of prior publications and research on GRC. So far it is the only definition that has
been derived in an empirical, scientific manner. Moreover it has experienced GRC
professionals‟ acceptance as shown by the survey. Thus compared to prior definitions
it should be more representative for the whole spectrum of GRC.
Of course the approach to derive a definition by means of a literature review has
certain disadvantages. Some sources were of rather poor quality. The publishing
groups have a business interest, which questions the objectivity of their articles. We
assume that the large number of publications reviewed largely makes up for this
disadvantage. Another approach could have been to conduct structured interviews
with GRC experts. The effort however would have been incomparably higher if an
objective result not dominated by a small number of opinions was to be achieved. In
addition we doubt that the quality would have been significantly higher; the
statements given in interviews would not have had a scientific foundation either.
The frame of reference naturally only displays a high-level abstraction of GRC. It
does not visualize the massive complexity of GRC, but it is not meant to do that. As
long as it helps researchers to gain a quick first understanding of integrated GRC in
order to structure their research, it fulfills its purpose.
The contribution of this research paper consists of three aspects. Firstly, for the
first time GRC publications have been reviewed; the lack of research on GRC is now
obvious. Secondly, for the first time a GRC definition has been derived rigorously in
a scientific manner and it has been validated by GRC professionals, thus proving its
relevance. Thirdly, a frame of reference has been constructed that may be used for
GRC reference modeling or other research of integrated GRC. The knowledge base of
the information systems research framework [30] has been extended (while the use of
our results is not restricted to IS research, of course). If the complexity of GRC has so
far been a barrier holding off research, we hope that we have lowered this barrier.
7 Conclusion and future research
The analysis at hand clearly shows that integrated GRC is a widespread topic that has
not yet been adequately researched. We can see what happens to a topic that lacks a
common forum for communication of professionals as research could offer. The
information provided publicly remains at a high level; understandably neither
software companies nor consultancies want to give away their knowledge for free.
Different products and marketing efforts have created a domain consisting of lots of
shared buzzwords but missing clarity. The myriad of perceptions of GRC harms the
development of a rising topic. At least there is a consensus on a few key points
regarding GRC which we included in our results. Our definition and the frame of
reference are a first step towards a more active role of research in integrated GRC. In
the near future we will try to enlarge the basis for GRC research by breaking down
and describing the frame‟s components in order to create a research framework and
reference model for integrated GRC in information systems management. We
encourage other researchers to build on our results and to use the definition and the
frame of reference in their own research of GRC.
1. PricewaterhouseCoopers: 8th annual global CEO survey.
2. Leibs, S.: One for three. CFO Magazine 2007/9.
3. Dittmar, L.: Demystifying GRC. Business Trends Quarterly 2/4, 16--18 (2007)
4. Kahn Consulting: GRC, E-Discovery, and RIM: state of the industry.
5. Rasmussen, M.: 2008 GRC drivers, trends & market directions.
6. Ahlemann, F., Gastl, H.: Process Model for an Empirically Grounded Reference Model
Construction. In: Fettke,P., Loos, P. (eds.) Reference Modelling for Business Systems
Analysis, pp. 77--97. Idea Group, Hershey (2007)
7. Broady, D.V., Roland, H.A.: SAP GRC for dummies. Wiley, Indianapolis (2008)
8. Fettke, P.: State-of-the-Art des State-of-the-Art. Eine Untersuchung der
Forschungsmethode „Review‟ innerhalb der Wirtschaftsinformatik. Wirtschaftsinformatik
48/4, 257--266 (2006)
9. Schlagheck, B.: Object-oriented reference models for process and project controlling.
Foundation-construction-fields of application. Deutscher Univ.-Verlag, Wiesbaden (2000)
10. Mitchell S.L.: GRC360: A framework to help organisations drive principled performance.
International Journal of Disclosure and Governance, 4/4, 279--296 (2007)
11. Tapscott, D.: Trust and competitive advantage: an integrated approach to governance, risk
& compliance (2006)
12. Kelly, J.: Risk management surpasses compliance as top GRC priority
13. Banham, R.: Is ERM GRC? Or vice versa? Treasury & Risk 2/6, 48--50 (2007)
14. Mitchell, S.L.: GRC more than three letters
15. Hoffmann, M.: Governance, Risk und Compliance (GRC) ein integrierter Ansatz.” IM
24/1, 74--81 (2007)
16. Switzer, C.S.: Integration innovation. Business Trends Quarterly 2/4, 26--32 (2007)
17. Curran, B.: Defragmenting GRC. Pharmaceutical Technology 4/16, 20--23 (2007)
18. KPMG: Governance, risk, and compliance. Driving value through controls monitoring.
19. Economist Intelligence Unit: Managing risk through financial processes. Embedding
governance, risk and compliance.
20. Wechsler, P.: The GRC harmony. Treasury & Risk 2/6, 13 (2008)
21. Corporate Integrity: What is GRC?
22. Hovis, J.J.: CIO at the center.
23. OCEG: GRC capability model. Red Book 2.0. (2009)
24. Vemuri, A. Strategic themes in risk and compliance. FINsights 2, 2--5 (2008)
25. Frigo, M.L., Anderson, R.J.: A strategic framework for governance, risk, and compliance.
Strategic Finance 90/8, 20--61 (2009)
26. Approva Corporation: 2007 Approva GRC survey.
27. Teubner, A., Feller, T.: Informationstechnologie, Governance und Compliance.
Wirtschaftsinformatik 50/5, 400--407 (2008)
28. IT Policy Compliance Group: 2008 Annual Report. IT Governance, Risk, and Compliance.
29. Rath, M., Sponholz, R.: IT-Compliance: Erfolgreiches Management regulatorischer
Anforderungen. Schmidt, Berlin (2009)
30. Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems
research. MIS Quarterly, 28/1, 75--105 (2004)
... Hence, maintaining competitiveness and managing risk in the healthcare environment requires new actions, plans, and strategies. These changes have been facilitated by updated government regulations, organizational structures, accountability measures, and the relationship between consumers and healthcare providers [2]. In the evolving healthcare market, institutions must modify their operations to address regulatory, strategic, and other risks. ...
... This research aims to assess the factors affecting the implementation of IT GRC initiatives in healthcare organizations. This paper adopted a modified version of the frame of reference for integrated GRC developed in [2]. The original frame contained four components, strategy, processes, technology, and people. ...
Full-text available
The rapidly changing healthcare market requires healthcare institutions to adjust their operations to address regulatory, strategic, and other risks. Healthcare organizations use a wide range of IT systems producing large amounts of sensitive and confidential data. However, few tools are available to measure the data governance activities of healthcare institutions and align healthcare data management with legislation. The Governance, Risk, and Compliance (GRC) Model focused on integrating that ability to achieve organizational goals. The demand for corporate governance is crucial for protecting the healthcare system from risks. An adaptation of a modified version that includes strategy, processes, technology, people, as well as legal and business requirements was developed to analyze the factors affecting IT GRC implementation in healthcare organizations. Although about 48% of participants reported that their organizations implemented IT GRC programs, 16% stated that they are considering implementing IT GRC programs soon. In almost 71% of healthcare organizations, IT governance, risk management, and compliance are integrated. Among the factors influencing the implementation of IT GRC programs in Saudi healthcare organizations, legal context ranked as the most critical, followed by process, strategy, then technology, business, and finally, people contexts. This study shows that healthcare organizations must assess various factors for the effective implementation of IT GRC activities.
... So, as a dependent variable, it is a combination of 'information technology,' 'management,' and 'performance.' For the measurement of the construct, especially the performance of IT management, it is to decide if further studies adopt models of IT and business alignment (Chew and Gottschalk, 2013; De Haes and Van Grem bergen, 2015; Luftman, 2000; Luftman, Papp, and Brier, 1999; Pikarti and Hidayanto, 2012, or whether they discuss governance, risk, and compliance (ISACA, 2018; Racz, Weippl, andSeufert, 2010). Continued on next page ...
The purpose of this paper is to explore the relationship between organizational culture and IT management performance in the era of digitalization. The study conducts a systematic literature review in the research fields of the fourth industrial revolution, or industry 4.0, digitalization, information technology, innovation, performance, and organizational culture. The review finds recent investigations of corporate culture and performance, with a particular focus on IT topics. Along with the applied model, the treated industry and country, and the cited references of organizational culture, the paper compares the results of the studies accordingly. The paper unfolds various limitations and a gap in the research field. Although most works report an impact of organizational culture, no study examines the IT management performance precisely. Assuming the significant role of IT management in digitalization, the paper closes with a proposition for further studies.
... Technologies should be embraced in order to demonstrate better compliance monitoring through the organization's Governance, Risk Management and Compliance (GRC) policies [95]. ...
This interdisciplinary study is one of the earliest intersecting between business management, law and information technology to analyze data privacy legal risks and offer an enterprise-wide solution through GDPR compliance monitoring. A Lean Six Sigma (LSS) managerial approach which utilizes the Define, Measure, Analyze, Improve and Control (DMAIC) method was used to not only to identify data privacy legal risks within digital retail but also to develop a compliance checklist to minimize these risks. Unlike earlier studies on this topic which focus on customers only, employees’ perspectives were also considered. The findings contribute to risk management literature specific to data privacy and practically offer a systematic practical approach to optimize value from data driven innovation by minimizing legal risks . Digital retail managers are challenged with the task of optimizing the value from data driven innovation due to intensified requirements by regulators for data privacy compliance. The value captured from social media platforms and applications, advanced computing techniques, to mention but has to be integrated into the enterprise’s risk assessment process to exploit the risk when the benefits outweigh the losses, mitigate or avoid them if the losses outweigh the benefits. On 25th May, 2018, the European Commission and Parliament of the European Union (EU) enacted the General Data Protection Regulation (GDPR) whose purpose is to protect data subjects’ civil rights and to facilitate a free data economy within the EU. Since then, there is a gradual increase of data privacy violations and legal penalties despite an increasing presence of Privacy Enhancing Technologies (PETS) on the market.
... GRC compounds different disciplines (governance, risk and compliance), which were initially adopted to deal with IS/IT management [57] and later evolved to 'incorporate' GRC. Perceived as an advancement of an organisation's risk capability, with the aim of synchronising strategy, processes, technology, and people to enable organisations to function more efficiently [34] [58]. GRC not only supports achieving an organisation's objective, but also addresses uncertainty and integrity at a strategic level [26] [59]. ...
Conference Paper
Full-text available
This research explored the need for enhancing the Enterprise Risk Management concept. Thus, delved into challenges and drawbacks to acknowledge levels of maturity. In addition, it studied the reasoning for a paradigm shift, which aggregates “GRC” (Governance, Risk and Compliance) under its umbrella in order to increase concept capabilities to not only align or comply but to foresee, adapt, and create future-oriented risk strategies. Overall, the key findings from 15 qualitative interviews indicated that Enterprise Risk Management maturity has yet to achieve its full potential. It was found that in practice Enterprise Risk Management no longer suffice to an organisation’s needs. Stakes and risk-return have consequently become considerably higher and broader in scope so the need to orchestrate the disjointed risk functions is higher. Given the significant drawbacks identified, this article suggests a value proposition of integrating GRC into Enterprise Risk Management to increase organisational risk capabilities. The joint approach is suggested to reinforce the effects of Enterprise Risk Management, and last but not least, enable maturity of the concept.
Full-text available
Durante el siglo XX, la doctrina económica tradicional se ha centrado en estudiar, desde distintas perspectivas, la relación entre la corrupción y los delitos económicos afines y el crecimiento y el desarrollo económico. Sin embargo, las nuevas políticas económicas y recomendaciones de la Organización para la Cooperación y el Desarrollo Económicos (OCDE) apuestan claramente por un mayor protagonismo de los factores institucionales en la prevención del daño social inherente a los delitos de corrupción. En la metodología de este trabajo se aplica, por un lado, el modelo econométrico de regresión probit y, por otro, el método estadístico de análisis de conglomerados por vinculación completa, para ilustrar la importancia creciente del cumplimiento corporativo en la OCDE, especialmente a partir de la regulación legal de la responsabilidad de las personas jurídicas y de la designación de un oficial de cumplimiento. Los resultados de investigación sugieren que ha existido una expansión geográfica de esta política de integridad desde los países de tradición anglosajona hacia el resto de los países miembro de la OCDE; asimismo, que los aspectos institucionales e historicistas están recuperando importancia en el funcionamiento de la economía mundial como palanca de cambio para la integridad en las corporaciones.
Full-text available
Board decision-making is a complex process. It is represented by reasoning for choosing the most suitable alternative within a series of options for the operation of the corporation. In practice, strategic decision-making is an important function of the board of directors, especially in the information age. Although there are various determinants of the board for carrying out decision-making, there has been little research concerning the impact of information technology (IT) governance wisdom on board decision-making. This study seeks to investigate the origin of IT governance and analyze IT governance wisdom from the perspective of the philosophical thinking of The Art of War. The analysis indicates that the concept of IT governance must have been produced no earlier than the late 1990s, highly likely at the beginning of the 21st century. In addition, this study presents the results of qualitative field research of a Chinese information and communication technology (ICT) company which indicates that it has an important meaning in explaining IT governance wisdom might have a significant influence on board decision-making. In summary, the importance of information governance wisdom in the decision-making process of the board of directors is also a reflection of intelligent management while considering the interests of shareholders in the digital era.
Full-text available
Buchrezension: Michael Rath, Rainer Sponholz - IT-Compliance, Erfolgreiches Management regulatorischer Anforderungen, 2., Auflage, ESV Erich Schmidt Verlag, Berlin, 2014 ----- Book review: Michael Rath, Rainer Sponholz - IT-Compliance, Successful Management of Regulatory Requirements, 2nd edition, ESV Erich Schmidt Verlag, Berlin, 2014 ----- Source: Klotz, Michael: Buchbesprechung von Michael Rath, Rainer Sponholz - IT-Compliance, Erfolgreiches Management regulatorischer Anforderungen, 2., Auflage, ESV Erich Schmidt Verlag, Berlin, 2014. In: IT-Governance, 2015, 9. Jg., Nr. 20, p. 32
Full-text available
Two paradigms characterize much of the research in the Information Systems discipline: behavioral science and design science. The behavioral-science paradigm seeks to develop and verify theories that explain or predict human or organizational behavior. The design-science paradigm seeks to extend the boundaries of human and organizational capabilities by creating new and innovative artifacts. Both paradigms are foundational to the IS discipline, positioned as it is at the confluence of people, organizations, and technology. Our objective is to describe the performance of design-science research in Information Systems via a concise conceptual framework and clear guidelines for understanding, executing, and evaluating the research. In the design-science paradigm, knowledge and understanding of a problem domain and its solution are achieved in the building and application of the designed artifact. Three recent exemplars in the research literature are used to demonstrate the application of these guidelines. We conclude with an analysis of the challenges of performing high-quality design-science research in the context of the broader IS community.
This chapter stresses the importance of integrating empirical evidence in the construction process of reference models. With reference to the authors' underlying epistemological beliefs, requirements for an empirically grounded process model are derived. Based on a literature review of existing process models and experience gained from three research projects, an advanced process model is proposed in order to provide concrete instructions that show how these requirements can be met. Real-life examples from completed and ongoing research projects are continuously integrated so as to contribute to the practicability of the proposed model for the reader.
This paper discusses the concept of principled performance as the clear articulation of an enterprise's financial and non-financial objectives and the boundaries it will observe as it drives toward them. It discusses the GRC360 Framework as a vehicle for organisations to drive and attain principled performance.International Journal of Disclosure and Governance (2007) 4, 279-296. doi:10.1057/palgrave.jdg.2050066
Zusammenfassung In dem Beitrag werden die Ergebnisse einer Web-Recherche zu den Themen Governance und Compliance in Zusammenhang mit dem Einsatz von Informationstechnologie vorgestellt. Hierbei zeigt sich, dass die Informationstechnologie eine doppelte Rolle einnimmt. Sie tritt zum einen als Instrument zur Realisierung der betrieblichen Governance und Compliance in Erscheinung. Zum anderen ist die IT auch ein wesentlicher Gegenstand von Governance und Compliance, sodass sich die eigenständigen Arbeitsfelder „IT-Governance“ und „IT-Compliance“ etabliert haben. Da zwischen Governance und Compliance enge Bezüge bestehen, wird in der Praxis oft auf eine klare Positionierung verzichtet. Dies gilt für die Beratungsangebote von IT-Dienstleistern ebenso wie für das Angebot von Softwarewerkzeugen. Letztere werden i. d. R. unspezifisch als Governance-Risk-Compliance-Software bezeichnet. Die duale Rolle der IT und vor allem die unpräzise und tendenziell inflationäre Verwendung der Begriffe „Governance“ und „Compliance“ erschweren die thematische Ordnung von Inhalten auf dem Word Wide Web erheblich.
The world-wide increasing amount of literature makes it necessary to describe, to synthesize, to evaluate, to clarify, or to integrate the results of papers in a particular field of research. Today, the process of conducting a literature review is seen as a scientific procedure, which should be guided by appropriate research methods. This paper analyzes the achieved research level in the Information Systems discipline from a methodological point of view. As a sample we use all articles from the column „State-of-the-Art” of the journal WIRTSCHAFT-SINFORMATIK. The study shows that this research method is common in Information Systems research. However, several important aspects for further development are identified: (1) Until now no mathematical-statistical analysis has been used. (2) Research methods used in the primary papers are not taken into account by reviews. (3) No explicit objectives are discussed by about one third of the articles in the sample. (4) The selection of literature used as a basis for the review is not explicated in any article. (5) About one half of the reviewed articles do not discuss further research questions.
Governance, Risk und Compliance (GRC) – ein integrierter Ansatz
  • M Hoffmann
Hoffmann, M.: Governance, Risk und Compliance (GRC) – ein integrierter Ansatz.” IM 24/1, 74--81 (2007)
One for three. CFO Magazine
  • S Leibs
GRC drivers, trends & market directions
  • M Rasmussen
A strategic framework for governance, risk, and compliance
  • M L Frigo
  • R J Anderson
  • M.L. Frigo