IT-GRC: Who is and who is not

Marc Othersen

A message for IT-GRC vendors:  I am constantly bombarded by vendors touting "I have an IT-GRC solution for you to look at!"  Since I cover the IT-GRC space, I naturally am interested. In many cases, my interest quickly turns to disdain after the vendor product demo.  Why?

Simply, most IT-GRC "vendors" are not IT-GRC vendors. An IT-GRC vendor, by our definition, automates the governance, risk, and compliance lifecycles to provide seamless integration and data sharing.  Most of the IT-GRC "vendors" I get briefed on automate IT controls, not IT-GRC lifecycles. For example, Brabeion automates policy management (a governance process), the testing of IT controls (a compliance process), and the assessment of IT risks (a risk process). Brabeion, therefore, is an IT-GRC vendor. Sun Microststems' identity and access management product automates access controls and NetIQ's SIEM product automates event monitoring controls.  Neither of these companies are IT-GRC vendors or have IT-GRC products.

So before marketing a product as an IT-GRC solution please make sure it actually is an IT-GRC solution and not a control automation solution.  This will go a long way to reducing the "noise" around the IT-GRC market space.


re: IT-GRC: Who is and who is not

Hi Marc, what do you think about using "facilitate" instead of "automate" for IT-GRC?

re: IT-GRC: Who is and who is not

Facilitate also works but does not, I think, carry the context of technology which is core to the definition of an IT-GRC vendor. I can facilitate anything without utilizing a technology but automate implies "facilitation through technology" in my mind...

re: IT-GRC: Who is and who is not

Hello all, I would also like to give my opinion on Risk and Compliance.IT governance, risk and compliance (IT GRC) is about striking an appropriate balance between business reward and risk. The maturity of IT GRC practices for managing reward and risk has a direct impact on the organization. IT GRC encompasses the practices for delivering: Greater business value from IT strategy, investment and alignment, Significantly reduced business and financial risk from the use of IT, and Conformance with policies of the organization and its external legal and regulatory compliance mandates. IT GRC energizes the entire organization to imagine what it can achieve, establishes methods for achieving their objectives, and demonstrates the practices that are proven to work for minimizing business and financial risk. Fundamentally, IT GRC is about striking an appropriate balance between business reward and risk, enabling an organization to more effectively anticipate and manage business risk while more effectively delivering value for the organization. IT governance, risk, compliance, IT GRC, White paper, compliance survey report, 2008 compliance report.You can also get more information from

re: IT-GRC: Who is and who is not

Hello JackThat was an good update by you, I have downloaded the copy from and it seems very much interesting.