Providing IT services once seen as a costly and tedious task requiring significant investments in time and resources now finds favour as an aid to help organizations become more competitive, efficient and effective in today’s global marketplace. Successful IT services help control, comply and align IT with business goals. This enables IT and business to work in tandem as one cohesive unit bringing value to the organization.

There are effectively three things IT service organizations have to master to succeed delivering services to their business customers. These are basic requirements are:

Stabilize the IT organization – One of the basic requirements that any IT service organization must have is the stabilization of their infrastructure. This would mean that any IT organization must know not only how to resolve issues but it should know how to prevent issues from happening on the first place. This would consist of building a Service Desk that acts as a single point of contact for the business users can call when they are facing any issues or when they want something changed. This would imply that when users want to get something done they know where to go.

Control the IT organization – The next step would be to establish control over the physical infrastructure. It would imply that businesses should have successfully implemented Configuration, Change and Release Management. The organization knows what they have and can accurately design changes that achieve the desired outcome for the business with minimum risk and disruption to service.

Improve the IT organization – The next milestone would be for an IT service organization would be to set up processes for continuous improvement. This does not mean just establishing service levels with vendors for services since just reporting on the service levels would not mean that they have been delivered.

Once done this would imply that the organization has been successful in deployment of a framework which not only supports the IT needs of business but does while being cost effective and adds value to the business. It helps ensure the security, integrity and accuracy of information of IT Systems which is of paramount importance to all areas of business and industry.

Globally integrated markets; new levels of accountability that stem from new laws and regulations; and ever increasing expectations of a broader stakeholder group, who demand effective corporate governance, risk management, transparency, accountability, and optimized performance, have elevated the concerns at board room level of ensuring that effective, transparent and reliable governance and compliance tools are in place and are utilized.

The challenge is that each individual term - Governance, Risk, and Compliance have got different interpretations across the enterprise. We have IT Governance, Corporate Governance, Business Risk, Strategic Risk, Financial Risk, Operational Risk, IT Risk, Corporate Compliance, Sarbanes-Oxley (SOX) Compliance, Privacy Compliance, and Employment and Labor compliance. The list is endless. 

Thus there is a need of a unified GRC strategy that works with multiple roles across the organization—legal, risk, audit, compliance, IT, ethics, finance, lines of business; guides people; standardizes processes; and integrates technology to embed GRC at every organizational level. Following suggests best practices to ensure sound GRC practice in an enterprise:

• User Roles and Access Management

Enforce compliant user provisioning across all systems with integrated user identity and access controls management. Centrally define users and their roles; assign, control, change and revoke access to avoid segregation of duties conflicts. Automate segregation of duties across enterprise applications, custom solutions, and database systems with business-driven rules to prevent unauthorized access to sensitive company and customer information.  All users, including privileged users such as administrators, thus have access to only what they need to do their job.

• Data Management

Collaborate and share information, assessments, metrics, risks, investigations and losses across roles Protect information efficiently and prevent fraud by identifying and preventing access and authorization risks in cross-enterprise IT systems. Reduce redundant information silos and overlapping tasks, while utilizing date-effective audit trails that track the "who, what, and when" of changes made to critical business workflows, information, risk-control metrics, work papers, documentation and other evidence.

• Process Control and Management

Provide support to both cross-industry and industry-specific processes. Enable business process control management by leveraging core processes followed across the business and centrally monitoring key controls and data across-enterprise systems. Automate risk-based processes to address risk management, access control, IT controls testing, data monitoring, and reporting.

• Risk-balanced Strategy Management

Assess the value of a new business opportunity with its associated strategic, financial, legal, and compliance risks to optimize resource usage and minimize the market penalties from high-impact events. Establish tolerance thresholds for risks in the context of business operations. Risk based controls across different business process areas ranging from financial; operational to human resources should be introduced.

• Automated Controls Enforcement

Establish an enterprise understanding of risk with a standardized and automated process to identify, track, assess, and treat risks. Highlight key risk and performance indicators with the help of executive-level dashboards and dynamic drill-down reporting.

Minimize fraud risk with continuous monitoring and automated enforcement of best-practice configuration policies. Enforce comprehensive and automated controls for applications and technologies (all middleware, and database). Determine root causes and accountability for risk by tracking personnel ownership. Route alerts and notifications to concerned personnel/ IT managers for appropriate action.

• Enterprise Performance Management

Set organizational goals and objectives, all this while allowing separate lines of business within the organization to address the distinct risk and compliance requirements within their sphere. Maintain a fine balance between the autonomous and related functions which business units undertake.