An approach commonly known as governance, risk management, and compliance (GRC) has evolved to analyze risks and manage mitigation in alignment with business and compliance objectives. Governance ensures the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated. All of this happens within a clearly defined context that might span a division, the entire organization, or a specific set of cross-discipline functions.
Design of the governance process should be done after the organization has:
- Identified its desired outcomes
- Identified the organizational role responsible for attaining each outcome
- Identified the relevant metric(s) that indicate attainment of each goal
- Outlined the decision-making process for each goal
Risk management is a systematic process for identifying, analyzing, evaluating, remediating, and monitoring risk, as well as transferring risk to another party, avoiding the risk altogether, or assuming the risk with its potential consequences. Risk management should be a component of any adopted decision-making process. As a result of the risk management process, an organization or group might decide to mitigate a risk, transfer it to another party, or assume the risk along with its potential consequences.
Compliance generally refers to actions that ensure behavior that complies with established rules as well as the provision of tools to verify that compliance. It encompasses compliance with laws as well as the enterprise’s own policies, which in turn can be based on best practices. Compliance requirements are not static, nor are they geographically homogenous. This mean effective compliance efforts must be both dynamic and adaptable to local or regional requirements. In cloud computing, this is especially critical when dealing with data protection and privacy.