Forrester Research: Defining IT GRC

By Khalid Kark, Marc Othersen, Chris McClean with Paul Stamp, Michael Rasmussen, Alex Cullen, Craig Symons, Alissa Dill

This is the first document in the "Fundamentals Of IT GRC" series from Forrester Research.


IT governance, IT risk management, and IT compliance are three distinct disciplines that in the past have existed in silos within organizations. Today, many organizations no longer see these activities as individual, one-time projects handled in separate parts of the IT organization. Rather, they are finding that there are a lot of commonalities and interrelationships that exist between these three areas. Adopting a unified IT governance, risk management, and compliance (IT GRC) approach and managing the associated activities coherently will create efficiencies, provide a holistic view of the IT environment, and ensure accountability.

Defining The Component of IT GRC

Business imperatives, increased regulatory pressure, and customer demands are forcing many CIOs to adopt a structured, enterprisewide approach to IT GRC. Today, enterprises are acknowledging that a mishmash of technologies and processes working in silos inevitably leads to inefficiency, increased cost, and higher risk to the organization (see Figure 1).

There is currently a lot of confusion on what exactly IT GRC is and what subcomponents to consider while establishing a program. Although the specifics of the program vary based on the individual circumstances of an organization, having common definitions and broad objectives for each area will establish the high-level approach for the program.

IT Governance Establishes Decision Structures And Tracking Mechanisms

Forrester defines IT governance as:
The act of establishing IT decision structures, processes, and communication mechanisms in support of the business objectives and tracking progress against fulfilling business obligations efficiently and consistently.

At its most basic definition, IT governance primarily determines how decisions are made, who makes the decisions, who is held accountable, and how the results of decisions are measured and monitored.(see endnote 1) Although many organizations have some form of IT governance in place, the governance processes are ad hoc, siloed, and informal. Organizations need to first ensure that they have the appropriate governance structures in place; structures such as technology steering committees, architecture review boards, and project review boards fulfill this task. The second step is to ensure that the appropriate processes exist to guarantee consistency and transperancy, for example, processes for proposing new projects, processes for approving new IT investments, and processes for prioritizing IT projects would fit the bill. Third, organizations need to ensure that there is appropriate communication and accountability to measure the outcomes of IT decisions whether these decisions are technical, monitory, human resource, or any other type. Project status reports, ROI analysis, and Balanced Scorecards would be examples of such communication and monitoring (see Figure 2).(see endnote 2)

Download the rest of this report, including graphics, free of charge.

Enjoyed the article?

Sign-up for our free newsletter to kick off your day with the latest technology insights, or share the article with your friends and contacts on Facebook, Twitter or Google+ using the icons below.

E-mail address

Rate this blog entry:
Editorial has not set their biography yet