dcsimg

EMA Research Looks at Success Factors for IT Governance, Risk and Compliance (GRC) Management

BOULDER, Colo., May 28 /PRNewswire/ -- New research from Enterprise Management Associates (EMA) shows that IT governance, risk and compliance (IT GRC) management is increasingly linked to the overall governance of an organization. The study, led by Scott Crawford, EMA research director, looks at the challenges facing IT GRC, the factors that contribute to successful IT GRC deployments and the critical role IT Service Management best practices play in IT GRC success.

BOULDER, Colo., May 28 /PRNewswire/ — New research from Enterprise Management Associates (EMA) shows that IT governance, risk and compliance (IT GRC) management is increasingly linked to the overall governance of an organization. The study, led by Scott Crawford, EMA research director, looks at the challenges facing IT GRC, the factors that contribute to successful IT GRC deployments and the critical role IT Service Management best practices play in IT GRC success.

"There are continued examples, led by the Societe Generale scandal, that illustrate how a lack of IT governance and risk programs can lead to a lack of overall business controls that ultimately results in near-catastrophic outcomes," said Crawford. "IT GRC has become a very loaded term, with incredibly high expectations. Yet, in many cases, it is still loosely defined let alone well understood. This limits the ability of senior management to support IT GRC initiatives, resulting in greater exposure to risk and — worst of all — hampering the ability of IT to deliver tangible business value."

The survey, completed by 224 IT and non-IT professionals, calls attention to major issues associated with IT GRC management within organizations. According to the study findings, 13 percent of those polled said their organization does not even have a strategy in place to assure the confidentiality of sensitive information. In addition, 29 percent of all respondents indicated that the board of directors and senior executives do not properly support IT GRC initiatives.

The study also calls out the high value of adopting IT Service Management best practices such as the IT Infrastructure Library (ITIL), which was embraced by 55 percent of all respondents. When EMA divided individuals who took the survey into three groups based on the level of maturity of their IT GRC management, those in the "high performer" category consistently showed greater maturity in domains of IT Service Management directly related to IT GRC priorities, as well as more positive outcomes in multiple aspects of IT risk control. "Our findings show that those who performed best in meeting the many challenges of IT GRC were those who most recognized the need for best practices in IT Service Management, such as configuration control, event and incident response and sensitivity to business priorities," said Crawford.

Not surprisingly, high performers had more positive outcomes overall and they reported fewer disruptive security events than the medium and low performers, with 64 percent of the high performers indicating that fewer than 10 percent of security incidents result in disruptions to IT performance, availability or resource integrity in the past year. In addition, high performers had more positive outcomes when it came to the success of IT projects, IT change success and percentages of unplanned work.

When looking at the overall success of IT GRC implementations, high performers cited the following factors:

— Configuration Management: — Ninety four percent of high performers define configuration control processes, ensure that defined processes are followed and enforce consequences for deviations. — Ninety one percent of high performers monitor the IT environment for changes and use monitoring information to enforce change control. — High performers also showed higher maturity than medium or low performers in the adoption of best practices in configuration-related IT management, such as the Configuration Management Database (CMDB). — Access Monitoring and Business Risk Control: — The majority of high performers (77 percent) monitor the internal IT environment for anomalous behavior or other indications of potential security risks before a suspicion exists. — Seventy seven percent of high performers monitor IT access and use for indications of fraud and other business risks before a suspicion exists. Other areas in which high performers show greater maturity in IT GRC include: — Security management — Event management and incident response — Business continuity planning and management — Realism in defining risk management processes with increasing interest in detailed visibility into activity in IT

According to EMA, businesses must continue to learn from the ways in which the high performers define IT GRC effectiveness. "One of the most frequent questions heard from medium and low performers during our research was, 'Where is the best place to start with IT GRC?,'" said Crawford. "Given the feedback from high performers, we believe the answer is to start with IT Service Management best practices. When a mature approach to IT Service Management is in play, IT GRC not only improves risk management outcomes, it enables IT to become a true strategic asset to the business."

Crawford will share additional highlights from this study during a free webinar on this topic on Wed., May 28 at 2 p.m. EDT. For more information and to register please visit: http://www.emausa.com/ema_lead.php?ls=itgovwebpr0508&bs=itgovweb0508

The new EMA(TM) Research Report "IT Governance, Risk and Compliance Management in the Real World" is available now. To purchase the full report, contact EMA at 303.543.9500 or sales@enterprisemanagement.com.

NOTE TO EDITORS

For more information or to speak with Crawford please contact Guy Murrel at gmurrel@catapultpr-ir.com or at 303-581-7760, ext.17.

About Enterprise Management Associates

Founded in 1996, Enterprise Management Associates (EMA) is a leading industry analyst and consulting firm dedicated to the IT management market. The firm provides IT vendors and enterprise IT professionals with objective insight into the real-world business value of long-established and emerging technologies, ranging from security, storage and IT Service Management (ITSM) to the Configuration Management Database (CMDB), virtualization and service-oriented architecture (SOA). Even with its rapid growth, EMA has never lost sight of the client, and continues to offer personalized support and convenient access to its analysts. For more information on the firm's extensive library of IT management research, free online IT Management Solutions Center and IT consulting offerings, visit http://www.enterprisemanagement.com.

SOURCE Enterprise Management Associates

Comments are closed.