Datasheet
In 2004, companies went through the sprint phase. Risks were identified
and managed with appropriate controls. Roles and user access were
cleaned up.
In 2005, the marathon phase began. Companies focused on staying clean
and lowering the costs of compliance.
In 2006 and beyond, companies started to focus on automation to bring
costs down to the lowest level possible.
Another, no doubt oversimplified, way of putting it is that companies rushed
to get clean regardless of cost, and then sought to stay clean as cheaply as
possible.
Stages of GRC adoption
Observers and analysts watching the progression of GRC adoption have iden-
tified four stages of growth and maturity that companies move through as
they improve their GRC processes: reacting, anticipating, collaborating, and
orchestrating. As shown in Figure 1-5, the first step is
reacting, which is the
rush to get things done.
The second step, where most companies are now, involves
anticipating needs
and increasing automation. The third step involves higher levels of
collabora-
tion
in which GRC awareness is propagated throughout an organization. In
the fourth phase of GRC adoption, a company seeks to better
orchestrate and
optimize its activities based on greater visibility.
Panic
• Get it done!
• Operate in isolation
• Marshal resources as
necessary from
wherever
Acceptance
• Efficiency
• Automation
• See connections
between multiple
programs
• Plan future approach
Coordination
• Identify risks
• Assess exposure
• Prioritizing actions
• Reuse technology
components for
multiple purposes
Manage in unison
• Set enterprise
objectives
• Coordinate analysis
and action
• Complete visibility to
risk, exposu
re,
performance
Step 1:
Reacting
Step 2:
Anticipating
Step 3:
Collaborating
Step 4:
Orchestrating
Where organizations
are today
Tactical
Maturity varies by industry / geography
Strategic
Figure 1-5:
Stages
of GRC
adoption
defined
by AMR
Research.
34
Part I: Governance, Risk, and Compliance Demystified
05_333174 ch01.qxp 4/4/08 7:15 PM Page 34