Governance, risk and compliance: A strategic alignment perspective applied to two case studies

Abstract

Governance, Risk and Compliance (GRC) has become critical for organizations and so is the need to support this by ICT. This paper positions GRC into an integrated strategic perspective, providing guidelines to assess maturity and defining paths for achieving strategic alignment. The approach is applied to two case studies, clarifying the organizations' GRC maturity "as is" and "to be". These cases were studied in the utilities and financial sectors, both show that organizations can have similar GRC maturity levels but follow quite different paths to achieve alignment with regard to GRC. While the Dutch utility company stuck to a path where the organizational strategy with respect to GRC was taken as a starting point, the financial institution followed a path in which the IT solution strategy was leading. In interpreting this result, it appears that the existing IT assets are strongly impacting the selection of the alignment path. More case studies are advocated to further validate the approach and contribute to optimize the strategic and integrated perspective on GRC. © 2012 IFIP International Federation for Information Processing.