An approach commonly known as governance, risk management, and compliance (GRC) has evolved to analyze risks and manage mitigation in alignment with business and compliance objectives. Governance ensures the business focuses on core activities, clarifies who in the organization has the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated. All of this happens within a clearly defined context that might span a division, the entire organization, or a specific set of cross-discipline functions.
Design of the governance process should be done after the organization has:
- Identified its desired outcomes;
- Identified the organizational role responsible for attaining each outcome;
- Identifying the relevant metric(s) that indicate the accomplishment of each goal;
- Outlining the decision-making process for each goal.
Risk management is a systematic process for identifying, analyzing, evaluating, remediating, and monitoring risk, as well as transferring risk to another party, avoiding the risk altogether, or assuming the risk with its potential consequences. Risk management should be a component of any adopted decision-making process. As a result of the risk management process, an organization or group might decide to mitigate risk, transfer it to another party, or assume the risk along with its potential consequences.
Compliance generally refers to actions that ensure behavior that complies with established rules as well as the provision of tools to verify that compliance. It encompasses compliance with laws as well as the enterprise’s policies, which in turn can be based on best practices. Compliance requirements are not static, nor are they geographically homogenous. This means effective compliance efforts must be both dynamic and adaptable to local or regional requirements. In cloud computing, this is especially critical when dealing with data protection and privacy.