A Conceptual Model for Integrated Governance, Risk and Compliance

As integrated Governance, Risk and Compliance (GRC) becomes one of the most important business requirements in organizations, the market is incongruously struggling to satisfy organizations' needs. The absence of scientific references regarding GRC is leading to a dispersion of concepts involving this topic. Without boundaries and correct domain definition, poor implementation of GRC solutions can lead to low performances and high vulnerabilities for organizations. This paper proposes a set of high level concepts covering the GRC domain. Through literature review and framework research we propose key functions of governance, risk and compliance and their associations, resulting in a reference conceptual model for integrated GRC. The model was evaluated by comparing the GRC capability model from OCEG with a quality model evaluation framework. We concluded that the proposed model is valid and complete.

[1]  Alan P. Brache,et al.  How Organizations Work: Taking a Holistic Approach to Enterprise Health , 2002 .

[2]  Herbert A. Simon,et al.  The Sciences of the Artificial , 1970 .

[3]  Helmut Krcmar,et al.  Explicating design theories with conceptual models: Towards a theoretical role of reference models , 2009 .

[4]  Walter F. Tichy,et al.  Proceedings 25th International Conference on Software Engineering , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[5]  Ulrich Frank,et al.  Conceptual Modelling as the Core of the Information Systems Discipline - Perspectives and Epistemological Challenges , 1999 .

[6]  Salvatore T. March,et al.  Design and natural science research on information technology , 1995, Decis. Support Syst..

[7]  Jörg Becker,et al.  Wissenschaftstheorie und gestaltungsorientierte Wirtschaftsinformatik , 2009 .

[8]  Graeme G. Shanks,et al.  Improving the quality of data models: empirical validation of a quality management framework , 2003, Inf. Syst..

[9]  D. Schoen,et al.  The Reflective Practitioner: How Professionals Think in Action , 1985 .

[10]  T. D. Wilson,et al.  On conceptual models for information seeking and retrieval research , 2003, Inf. Res..

[11]  E. Tansley,et al.  Using ontology to validate conceptual models , 2003, CACM.

[12]  Edgar R. Weippl,et al.  Governance, Risk & Compliance (GRC) Software - An Exploratory Study of Software Vendor and Market Research Perspectives , 2011, 2011 44th Hawaii International Conference on System Sciences.

[13]  Amit Chatterjee,et al.  Gaining Competitive Advantage from Compliance and Risk Management , 2008 .

[14]  Herbert A. Simon,et al.  The Sciences of the Artificial - 3rd Edition , 1981 .

[15]  Nirmal Pal,et al.  From Strategy to Execution , 2008 .

[16]  Bart De Decker,et al.  Communications and Multimedia Security , 2011, Lecture Notes in Computer Science.

[17]  Scott L Mitchell,et al.  GRC360: A framework to help organisations drive principled performance , 2007 .

[18]  Edgar R. Weippl,et al.  A Frame of Reference for Research of Integrated Governance, Risk and Compliance (GRC) , 2010, Communications and Multimedia Security.

[19]  Donald A. Schön The reflective practitioner : how professionals think in action , 1986 .

[20]  Peter Bernus,et al.  Handbook on Architectures of Information Systems , 1999 .

[21]  Vijay K. Vaishnavi,et al.  Design Science Research Methods and Patterns: Innovating Information and Communication Technology , 2007 .

[22]  Matthias Jarke,et al.  ConceptBase: Managing Conceptual Models about Information Systems , 2006, Handbook on Architectures of Information Systems.

[23]  Diego Calvanese,et al.  Information integration: conceptual modeling and reasoning support , 1998, Proceedings. 3rd IFCIS International Conference on Cooperative Information Systems (Cat. No.98EX122).

[24]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[25]  Jan C. Recker,et al.  Conceptual Model Evaluation. Towards more Paradigmatic Rigor , 2005, EMMSAD.

[26]  Daniel L. Moody,et al.  Evaluating the quality of information models: empirical testing of a conceptual model quality framework , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[27]  Anthony Tarantino,et al.  Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices , 2008 .