Governance is not the endgame

I was in Chicago last week as a guest speaker at a Gartner Risk Management and Compliance event. The event was well attended albeit somewhat down on numbers from previous years. However it is clear that interest in this topic remains high. One subject which came up for regular debate was the use, and the meaning, of the frequently used acronym GRC (governance ,risk, and compliance). I touched on this in my first blog a few weeks ago. As discussed in this earlier blog, the term itself is misleading as many regard the management of risk and the achievement of compliance as part of governance and not separate entities. Similarly where does the achievement of value sit within the GRC acronym? Gartner itself seems to be moving away from the acronym with some of their analysts supporting my view that the term has been hijacked by certain elements of the software vendor market to pigeonhole certain of their products. Hence, arguably, the term has not only become confused but also cheapened as a result. There is equal confusion over the meaning of governance, although this debate sometimes misses the point. In my view governance is the structure and processes through which enterprises gain assurance that IT achieves value, mitigates risk and achieves relevant compliance. The whole enterprise plays its part in this, including the CEO and the Boardroom, IT management, security and assurance specialists, business management and finance. Governance itself is not the endgame. What it should help to provide is trust in information systems and value creation from IT. That is the endgame not the process itself.