IT Governance, Risk & Compliance (GRC) Status Quo and Integration: An Explorative Industry Case Study

The integration of governance, risk, and compliance (GRC) activities has gained importance over the last years. This paper presents an analysis of the GRC integration efforts in information technology departments of three large enterprises. Action design research is used to organize the research in order to assess IT GRC activities based on a model with five dimensions. By means of semi-structured interviews key findings concerning the status quo of the three IT GRC disciplines, their integration and their relation to GRC on the corporate level are identified and rated. Five key findings explain the main commonalities and differences observed.

[1]  Edgar Weippl,et al.  A process model for integrated IT governance , risk , and compliance management , 2010 .

[2]  Günter Müller,et al.  IT-Compliance und IT-Governance , 2008, Wirtsch..

[3]  Edgar R. Weippl,et al.  Questioning the Need for Separate IT Risk Management Frameworks , 2010, GI Jahrestagung.

[4]  Edgar R. Weippl,et al.  Governance, Risk & Compliance (GRC) Software - An Exploratory Study of Software Vendor and Market Research Perspectives , 2011, 2011 44th Hawaii International Conference on System Sciences.

[5]  David S. Preston,et al.  Information Systems Strategy: Reconceptualization, Measurement, and Implications , 2010, MIS Q..

[6]  Ra Teubner,et al.  Informationstechnologie, Governance und Compliance. Für Sie gesurft , 2008 .

[7]  Edgar R. Weippl,et al.  A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) , 2010, Communications and Multimedia Security.

[8]  Edward Lewis,et al.  The Viable Governance Model - A Theoretical Model for the Governance of IT , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[9]  William H. Glick,et al.  Typologies As a Unique Form Of Theory Building: Toward Improved Understanding and Modeling , 1994 .

[10]  Scott L Mitchell,et al.  GRC360: A framework to help organisations drive principled performance , 2007 .

[11]  中川 将征 最新マネジメントシステム規格入門(第6回・最終回)BS 25999-1:2006 Business coutinuity management--Part 1:Code of practice(事業継続管理第1部:実践規範) , 2007 .

[12]  James A. Hall,et al.  The Sarbanes-Oxley Act: Implications for large-scale IT outsourcing , 2007, Commun. ACM.

[13]  Wolfgang Marekfia Strategisches GRC-Management - Grundzüge eines konzeptionellen Bezugsrahmens , 2009 .

[14]  P. Sarbanes Sarbanes-Oxley Act of 2002 , 2002 .

[15]  Cal Swann,et al.  Action Research and the Practice of Design , 2002, Design Issues.

[16]  Thomas R. Lindlof Qualitative Communication Research Methods , 1994 .

[17]  日本規格協会 情報技術-セキュリティ技術-情報セキュリティマネジメントシステム-要求事項 : 国際規格ISO/IEC 27001 = Information technology-Security techniques-Information security management systems-Requirements : ISO/IEC 27001 , 2005 .

[18]  Salvatore T. March,et al.  Design and natural science research on information technology , 1995, Decis. Support Syst..

[19]  L. Diamond IT Governance : How Top Performers Manage IT Decision Rights for Superior Results , 2005 .

[20]  Guy P. Lander The Sarbanes-Oxley Act of 2002 , 2002 .

[21]  J. Prins Directive 2003/98/EC of the European Parliament and of the Council , 2006 .

[22]  Pieter M. A. Ribbers,et al.  Designing information technology governance processes: diagnosing contemporary practices and competing theories , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[23]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[24]  J. Wheeler Magic Quadrant for Enterprise Governance , Risk and Compliance Platforms , 2011 .

[25]  Sandeep Purao,et al.  Action Design Research , 2011, MIS Q..

[26]  Alexander Teubner,et al.  Informationstechnologie, Governance und Compliance , 2008, Wirtschaftsinf..