Understanding governance, risk and compliance information systems (GRC IS): The experts view

Although Governance, Risk and Compliance (GRC) is an emerging field of study within the information systems (IS) academic community, the concept behind the acronym has to still be demystified and further investigated. The study investigates GRC systems in depth by (a) reviewing the literature on existing GRC studies, and (b) presenting a field study on views about GRC application by professional experts. The aim of this exploratory study is to understand the aspects and the nature of the GRC system following an enterprise systems approach. The result of this study is a framework of particular GRC characteristics that need to be taken into consideration when these systems are put in place. This framework includes specific areas such as: goals and objectives, purpose of the system, key stakeholders, methodology and requirements prior to implementation, critical success factors and problems/barriers. Further discussion about the issues, the concerns and the diverse views on GRC would assist in developing an agenda for the future research on the GRC field.

[1]  Gerhard Knolmayer,et al.  Assimilation of Compliance Software in Highly Regulated Industries: An Empirical Multitheoretical Investigation , 2013, 2013 46th Hawaii International Conference on System Sciences.

[2]  Edgar R. Weippl,et al.  A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) , 2010, Communications and Multimedia Security.

[3]  R. Dameri Improving the Benefits of IT Compliance Using Enterprise Management Information Systems , 2009 .

[4]  V. Nissen,et al.  The Development of a Data-Centred Conceptual Reference Model for Strategic GRC-Management , 2014 .

[5]  Scott L Mitchell,et al.  GRC360: A framework to help organisations drive principled performance , 2007 .

[6]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[7]  Helmut Krcmar,et al.  Understanding the Role of Information Technology for Organizational Control Design: Risk Control as New Control Mechanism , 2011, Governance and Sustainability in Information Systems.

[8]  Julia Mundy,et al.  The Use of an ERP System to Facilitate Regulatory Compliance , 2013, Inf. Syst. Manag..

[9]  Guido Governatori,et al.  On compliance checking for clausal constraints in annotated process models , 2012, Inf. Syst. Frontiers.

[10]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[11]  Robert Winter,et al.  Situational method engineering for governance, risk and compliance information systems , 2009, DESRIST.

[12]  A Donabedian,et al.  A frame of reference. , 1976, QRB. Quality review bulletin.

[13]  Young Rok Yu,et al.  IT GRC-based IT internal control framework , 2013, 2013 15th International Conference on Advanced Communications Technology (ICACT).

[14]  Edgar Weippl,et al.  A process model for integrated IT governance , risk , and compliance management , 2010 .

[15]  Susan Scott,et al.  The enactment of risk categories: The role of information systems in organizing and re-organizing risk management practices in the energy industry , 2012, Inf. Syst. Frontiers.

[16]  Marta Indulska,et al.  Governance, risk and compliance: Applications in information systems , 2012, Inf. Syst. Frontiers.

[17]  Volker Nissen,et al.  Towards a Research Agenda for Strategic Governance, Risk and Compliance (GRC) Management , 2013, 2013 IEEE 15th Conference on Business Informatics.

[18]  Stefano De Paoli,et al.  Managing license compliance in free and open source software development , 2012, Inf. Syst. Frontiers.

[19]  Miguel Mira da Silva,et al.  A Conceptual Model for Integrated Governance, Risk and Compliance , 2011, CAiSE.

[20]  Michael Amberg,et al.  Governance, Risk & Compliance (GRC) Status Quo and Software Use: Results from A Survey Among Large Enterprises , 2010 .

[21]  Tom Butler,et al.  A conceptual model and IS framework for the design and adoption of environmental compliance management systems , 2012, Inf. Syst. Frontiers.

[22]  Tanzania. Ofisi ya Takwimu,et al.  Key findings report , 2002 .

[23]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[24]  Stefan Strecker,et al.  RiskM: A multi-perspective modeling method for IT risk assessment , 2011, Inf. Syst. Frontiers.

[25]  Anastasia Papazafeiropoulou,et al.  Analysing The Governance, Risk And Compliance (Grc) Implementation Process: Primary Insights , 2013, ECIS.

[26]  Peter Dadam,et al.  On enabling integrated process compliance with semantic constraints in process management systems , 2012, Inf. Syst. Frontiers.

[27]  Peter F. Green,et al.  Effective information technology (IT) governance mechanisms: An IT outsourcing perspective , 2009, Information Systems Frontiers.

[28]  Janis Barzdins,et al.  Databases and Information Systems , 2001, Springer Netherlands.