A Business Viewpoint for Integrated IT Governance, Risk and Compliance

Due to increasing requirements, standards and tight oversight from governments, along with the immediate need to effectively manage the increasing business and operational risks inherent to competing in a complex global market, integrated Governance, Risk and Compliance (GRC) is becoming one of the most important business requirements for organizations. In particular, IT requirements, standards and best practices play a crucial role in IT organizations/departments. The lack of guidance in this domain, namely scientific research, results in unaided attempts to improve efficiency and effectiveness in organizations. In this paper we propose a business architecture that describes the integration of the main processes for IT Governance, IT Risk Management and IT Compliance (IT GRC). Based on a process model for IT GRC and a conceptual model for GRC, we use ArchiMate to model the behavioural, structural and informational structure of the business viewpoint - business processes, roles and business objects respectively. To end with, we discuss the final result and draw some conclusions about the constructed artifact.

[1]  Miguel Mira da Silva,et al.  A Process for Estimating the Value of ITIL Implementations , 2011 .

[2]  Vijay K. Vaishnavi,et al.  Design Science Research Methods and Patterns: Innovating Information and Communication Technology , 2007 .

[3]  H. A. Proper,et al.  Towards Utility-based Selection of Architecture-Modelling Concepts , 2004 .

[4]  Robert Winter,et al.  Language communities in enterprise architecture research , 2009, DESRIST.

[5]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[6]  Paul. J. Wolfenden,et al.  Business architecture: a holistic approach to defining the organization necessary to deliver a strategy , 2000 .

[7]  M. S. Babu Enterprise Risk Management Integrated framework for Cloud Computing , 2013 .

[8]  Michael Amberg,et al.  Governance, Risk & Compliance (GRC) Status Quo and Software Use: Results from A Survey Among Large Enterprises , 2010 .

[9]  Stijn Hoppenbrouwers,et al.  On Utility-based Selection of Architecture-Modelling Concepts , 2005, APCCM.

[10]  J. Brocke,et al.  Reusable Conceptual Models – Requirements Based on the Design Science Research Paradigm , 2022 .

[11]  Edgar Weippl,et al.  A process model for integrated IT governance , risk , and compliance management , 2010 .

[12]  Maria-Eugenia Iacob,et al.  ArchiMate 1.0 Specification , 2009 .

[13]  Miguel Mira da Silva,et al.  A Conceptual Model for Integrated Governance, Risk and Compliance , 2011, CAiSE.

[14]  Marios Damianides Sarbanes–Oxley and it Governance: New Guidance on it Control and Compliance , 2005, Inf. Syst. Manag..

[15]  Stefan Koch,et al.  Effort, co‐operation and co‐ordination in an open source software project: GNOME , 2002, Inf. Syst. J..

[16]  R. Dameri Improving the Benefits of IT Compliance Using Enterprise Management Information Systems , 2009 .

[17]  Stephan Aier,et al.  Applying Design Research Artifacts for Building Design Research Artifacts: A Process Model for Enterprise Architecture Planning , 2010, DESRIST.

[18]  Michael Lang,et al.  Communicating Academic Research Findings to IS Professionals: An Analysis of Problems , 2003, Informing Sci. Int. J. an Emerg. Transdiscipl..

[19]  Gary Hardy,et al.  Using IT governance and COBIT to deliver value with IT and respond to legal, regulatory and compliance challenges , 2006, Inf. Secur. Tech. Rep..

[20]  Maria-Eugenia Iacob,et al.  ArchiMate 2.0 Specification: The Open Group , 2012 .

[21]  Peter Van der Hayden The Unexpected Benefits of Sarbanes-Oxley , 2006 .

[22]  Brian Fitzgerald Introduction to the Special Series of Papers on Informing Each Other: Bridging the Gap between Researcher and Practitioners , 2003, Informing Sci. Int. J. an Emerg. Transdiscipl..

[23]  Scott L Mitchell,et al.  GRC360: A framework to help organisations drive principled performance , 2007 .

[24]  Henk Jonkers,et al.  Concepts For Modeling Enterprise Architectures , 2004, Int. J. Cooperative Inf. Syst..

[25]  Edgar R. Weippl,et al.  A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) , 2010, Communications and Multimedia Security.

[26]  Anthony Tarantino,et al.  Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices , 2008 .