http://www.bloginfosec.com/2008/09/08/governance-risk-management-compliance-pt-1-form-over-content/ An Information Security Magazine in a Blog Format Mon, 30 Jan 2012 11:01:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://www.bloginfosec.com/2008/09/08/governance-risk-management-compliance-pt-1-form-over-content/comment-page-1/#comment-17189 John Wheeler Fri, 26 Sep 2008 14:58:16 +0000 http://www.bloginfosec.com/?p=545#comment-17189 I agree with your article and have some additional thoughts. I think the GRC exercise does quickly become form over substance because many companies try to lead with a technology solution and then design their processes to support that solution. First and foremost, GRC processes should be designed to support the business and ultimately be integrated with decision-making processes within the business. Then, technology should be employed to streamline the processes to create additional efficiencies. While most folks are focusing on converging the G, R & C, they are leaving out the most important element - the B (the business that is). I agree with your article and have some additional thoughts. I think the GRC exercise does quickly become form over substance because many companies try to lead with a technology solution and then design their processes to support that solution. First and foremost, GRC processes should be designed to support the business and ultimately be integrated with decision-making processes within the business. Then, technology should be employed to streamline the processes to create additional efficiencies. While most folks are focusing on converging the G, R & C, they are leaving out the most important element – the B (the business that is).

]]>