About BWise


The relationship between IT GRC and Enterprise GRC

September 28, 2015 by
Filed under: Governance, Risk and Compliance, IT GRC

In every story on GRC, it is stated that the worlds of IT GRC and EGRC are moving together, that these worlds are integrating. In fact, I don't believe that's true. I believe they always have been one, but vendors' marketing somewhat polluted the discussions creating two perceived separate markets. There are obviously some specifics in IT GRC that are less dominant in EGRC. A term like vulnerability is standard in IT GRC, but rarely heard in EGRC. Although it adds some logical structure, it also adds complexity for many non-experts. I've seen EGRC implementations with risk triggers, causes and consequences; makes a lot of sense for the expert, difficult for business users. Here is just one example where companies need to decide on a clear and integrated risk language. But that's not just for IT GRC.

Another typical element of IT GRC is its reliance on data, much more than EGRC, in my belief simply because the availability of data is so much better and there is a lot of value in that data. Definitely an area where EGRC needs to learn from the IT GRC practices. Types of data to include are not only transactional data, permissions data, configuration data and logs, but also unstructured data, like (social) media for reputation risk monitoring for instance.

IT GRC has always been part of EGRC. The languages have moved closer, and will have to move closer yet for people in different teams to understand one another, and to leverage one another's results. Proper tooling can already take care of the technical integration between the various risk initiatives: ERM, OpRisk, IT Risk, regulatory compliance, policy management, internal control over financial (and other) reporting. Now the business processes need to be aligned. The alignment between IT GRC and EGRC is as required the same as the alignment between ERM and ORM, between Policy Management and Regulatory Compliance, between ICFR and Audit, between (etc-).


More Information

Nasdaq Offices

What is GRC?

Read the definition of Governance, Risk and Compliance

Gartner ORM report

Nasdaq's BWise has been positioned as a Leader in Gartner's Magic Quadrant for Operational Risk Management Report, 2016. 

Forrester report

Forrester positioned Nasdaq BWise as a Leader in New Report, The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q1 2016.

Why BWise

Download the brochure: Three Key Reasons why Hundreds of Customers Rely on Nasdaq BWise.

Scroll up