Date
 © 2012 ISACA. All rights reserved. No part of this
publication may be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval
system or transmitted in any form by any means
(electronic, mechanical, photocopying, recording or
otherwise) without the prior written authorisation of
ISACA. Use of this publication is permitted solely for
personal use and must include full attribution of the
material’s source. No other right or permission is
granted with respect to this work.
2
GRC
GRC:
 Governance, risk management and
compliance
 An increasingly used ‘umbrella term’
that covers these three areas of
enterprise activities
 These areas of activity are
progressively being more aligned and
integrated to improve enterprise
performance and delivery of
stakeholder needs.
GRC Definitions
GRC:
 Governance—Exercise of authority; control;
government; arrangement.

Risk (management )—Hazard; danger; peril;
exposure to loss, injury, or destruction (The act or art
of managing; the manner of treating, directing,
carrying on, or using, for a purpose; conduct;
administration; guidance; control)
 Compliance—The act of complying; a yielding; as
to a desire, demand, or proposal; concession;
submission
 Webster’s Online Dictionary
Types of Governance
 Different types of governance exist:
 Corporate governance
 Project governance
 Information technology governance
 Environmental governance
 Economic and financial governance
 Each type has one or more sources of
guidance, each with similar goals but
often varying terms and techniques for
their achievement.
Implementing Governance
 The integration of the implementation
of the GRC activities within an
enterprise requires a systemic
approach for reliably achieving the
business goals of its stakeholders.
 Such approaches are typically based on
enablers of various types (e.g.,
principles, policies, models,
frameworks, organisational structures).
A GRC Model Example
 From the OCEG Red Book GRC Capability
Model version 2.1
Corporate Governance of IT
 ISO/IEC 38500: 2008
 Corporate governance of information
technology
 1.1 Scope
 This standard provides guiding principles for directors of
organizations (including owners, board members, directors,
partners, senior executives, or similar) on the effective, efficient,
and acceptable use of Information Technology (IT) within their
organizations.
 This standard applies to the governance of management processes
(and decisions) relating to the information and communication
services used by an organization. These processes could be
controlled by IT specialists within the organization or external
service providers, or by business units within the organization.
Corporate Governance of IT (cont.)
ISO/IEC 38500: 2008
Corporate governance of information
technology
2.1 Principles
2.1.1 Principle 1: Responsibility
2.1.2 Principle 2: Strategy
2.1.3 Principle 3: Acquisition
2.1.4 Principle 4: Performance
2.1.5 Principle 5: Conformance
2.1.6 Principle 6: Human Behaviour
Corporate Governance of IT (cont.)
ISO/IEC 38500: 2008
Corporate governance of
information technology
2.2 Model
Directors should govern IT through three main tasks:
a) Evaluate the current and future use of IT.
b) Direct preparation and implementation of plans and policies
to ensure that use of IT meets business objectives.
c) Monitor conformance to policies, and performance against
the plans.
ISACA and COBIT
 ISACA actively promotes research that
results in the development of products
both relevant and useful to IT governance,
risk, control, assurance and security
professionals.
 ISACA developed and maintains the
internationally recognised COBIT
framework, helping IT professionals and
enterprise leaders fulfil their IT
governance responsibilities while
delivering value to the business.
COBIT: Governance of Enterprise IT (GEIT)
Evolution of scope
Governance of Enterprise IT
IT Governance
Val IT 2.0
Management
(2008)
Control
Risk IT
(2009)
Audit
COBIT1
1996
COBIT2
1998
COBIT3
2000
COBIT4.0/4.1 COBIT 5
2005/7
2012
A business framework from ISACA, at www.isaca.org/cobit
Source: COBIT® 5 Introduction Presentation © 2012 ISACA® All rights reserved.
COBIT 5 in Overview
COBIT 5 brings together the five
principles that allow the enterprise to
build an effective governance and
management framework based on a
holistic set of seven enablers that
optimises information and technology
investment and use for the benefit of
stakeholders.
The COBIT 5 Framework
 Simply stated, COBIT 5 helps enterprises to create
optimal value from IT by maintaining a balance
between realising benefits and optimising risk levels
and resource use.
 COBIT 5 enables information and related technology
to be governed and managed in a holistic manner for
the whole enterprise, taking in the full end-to-end
business and functional areas of responsibility,
considering the IT-related interests of internal and
external stakeholders.
 The COBIT 5 principles and enablers are generic
and useful for enterprises of all sizes, whether
commercial, not-for -profit or in the public sector.
COBIT 5 Principles
Source: COBIT® 5, figure 2. © 2012 ISACA® All rights reserved.
COBIT 5 Enterprise Enablers
Source: COBIT® 5, figure 12. © 2012 ISACA® All rights reserved.
Governance (and Management) in COBIT 5
 Governance ensures that enterprise objectives are
achieved by evaluating stakeholder needs, conditions
and options; setting direction through prioritisation
and decision making; and monitoring performance,
compliance and progress against agreed direction and
objectives (EDM).
 Management plans, builds, runs and monitors
activities in alignment with the direction set by the
governance body to achieve the enterprise objectives
(PBRM).
 Exercising governance and management effectively in
practice requires appropriately using all enablers. The
COBIT process reference model allows us to focus easily
on the relevant enterprise activities.
Governance in COBIT 5
• The COBIT 5 process reference model subdivides the ITrelated practices and activities of the enterprise into two
main areas—governance and management—with
management further divided into domains of processes
• The GOVERNANCE domain contains five governance
processes; within each process, evaluate, direct and
monitor (EDM) practices are defined.
•01 Ensure governance framework setting and maintenance.
•02 Ensure benefits delivery.
•03 Ensure risk optimisation.
•04 Ensure resource optimisation.
•05 Ensure stakeholder transparency.
• The four MANAGEMENT domains are in line with the
responsibility areas of plan, build, run and monitor
(PBRM).
Governance in COBIT 5 (cont.)
Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
Risk Management in COBIT 5
• The GOVERNANCE domain contains five governance
processes, one of which focuses on stakeholder risk-related
objectives: EDM03 Ensure risk optimisation.
• Process Description
• Ensure that the enterprise’s risk appetite and tolerance
are understood, articulated and communicated, and
that risk to enterprise value related to the use of IT is
identified and managed.
• Process Purpose Statement
• Ensure that IT-related enterprise risk does not exceed
risk appetite and risk tolerance, the impact of IT risk to
enterprise value is identified and managed, and the
potential for compliance failures is minimised.
Risk Management in COBIT 5 (cont.)
• The MANAGEMENT Align, Plan and Organise domain
contains a risk-related process: APO12 Manage risk.
• Process Description
• Continually identify, assess and reduce IT-related
risk within levels of tolerance set by enterprise
executive management.
• Process Purpose Statement
• Integrate the management of IT-related
enterprise risk with overall ERM, and balance the
costs and benefits of managing IT-related
enterprise risk.
Risk Management in COBIT 5 (cont.)
Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
Risk Management in COBIT 5 (cont.)
• All enterprise activities have associated risk exposures
resulting from environmental threats that exploit enabler
vulnerabilities
• EDM03 Ensure risk optimisation ensures that the
enterprise stakeholders approach to risk is articulated
to direct how risks facing the enterprise will be
treated.
• APO12 Manage risk provides the enterprise risk
management (ERM) arrangements that ensure that
the stakeholder direction is followed by the enterprise.
• All other processes include practices and activities
that are designed to treat related risk (avoid,
reduce/mitigate/control, share/transfer/accept).
Risk Management in COBIT 5 (cont.)
• In addition to activities, COBIT 5 suggests
accountabilities, and responsibilities for enterprise roles
and governance/management structures (RACI charts)
for each process. These include risk-related roles.
Source: COBIT® 5: Enabling Processes, page 108. © 2012 ISACA® All rights reserved.
Compliance in COBIT 5
• The MANAGEMENT Monitor, Evaluate and Assess
domain contains a compliance focused process: MEA03
Monitor, evaluate and assess compliance with
external requirements.
• Process Description
• Evaluate that IT processes and IT-supported business
processes are compliant with laws, regulations and
contractual requirements. Obtain assurance that the
requirements have been identified and complied with,
and integrate IT compliance with overall enterprise
compliance.
• Process Purpose Statement
• Ensure that the enterprise is compliant with all
applicable external requirements.
Compliance in COBIT 5 (cont.)
Source: COBIT® 5, figure 16. © 2012 ISACA® All rights reserved.
Compliance in COBIT 5 (cont.)
• Legal and regulatory compliance is a key part of the
effective governance of an enterprise, hence its
inclusion in the GRC term and in the COBIT 5
Enterprise Goals and supporting enabler process
structure (MEA03).
• In addition to MEA03, all enterprise activities include
control activities that are designed to ensure
compliance not only with externally imposed
legislative or regulatory requirements but also with
enterprise governance-determined principles, policies
and procedures.
Compliance in COBIT 5 (cont.)
• In addition to activities, COBIT 5 suggests
accountabilities, and responsibilities for enterprise roles
and governance/management structures (RACI charts) for
each process. These include a compliance-related role.
Source: COBIT® 5: Enabling Processes, page 213. © 2012 ISACA® All rights reserved.
Summary
• The COBIT 5 framework includes the necessary guidance
to support enterprise GRC objectives and supporting
activities:
• Governance activities related to GEIT (5 processes)
• Risk management process—and supporting guidance
for risk management across the GEIT space
• Compliance—a specific focus on compliance
activities within the framework and how they fit
within the complete enterprise picture
• Inclusion of GRC arrangements within the business
framework for GEIT helps enterprises to avoid the main
issue with GRC arrangements—silos of activity!