Managing information security risk using integrated governance risk and compliance.

This paper aims to demonstrate the building blocks of an IT Governance Risk and Compliance (IT GRC) model as well the phased stages of the optimal integration of IT GRC frameworks, standards and model through a longitudinal study. A qualitative longitudinal single case study methodology through multiple open-ended interviews were conducted over a period of four years (July 2012 to November 2015) in a retail financial institution. Our empirical study contributes to both academic research and practice in IT GRC. First, we identified the various building blocks of IT GRC domain from vertical as well as horizontal perspectives. Second, we methodologically demonstrated the gradual metamorphosis of the evolution of an IT GRC from a single ITG framework to multiple IT GRC building blocks. The journey thus throws light on the gradual staged process of attaining maturity in IT GRC by an organization. The resultant IT GRC model thus, guides managerial actions towards a better understanding of the positioning of IT GRC building blocks in an organization through the understanding of the interaction of vertical and horizontal domains. The results of the paper thus enable practitioners and academics to better understand and evaluate IT GRC implementation for effective governance, reduce risk and ensure compliance in organizations

A High-Level Scheme for an Ontology-Based Compliance Framework in Software Development

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Software development market is currently witnessing an increasing demand for software applications conformance with the international regime of GRC for Governance, Risk and Compliance. In this paper, we propose a compliance requirement analysis method for early stages of software development based on a semantically-rich model, where a mapping can be established from legal and regulatory requirements relevant to system context to software system business goals and contexts. The proposed semantic model consists of a number of ontologies each corresponding to a knowledge component within the developed framework of our approach. Each ontology is a thesaurus of concepts in the compliance and risk assessment domain related to system development along with relationships and rules between concepts that compromise the domain knowledge. The main contribution of the work presented in this paper is a case study that demonstrates how description-logic reasoning techniques can be used to simulate legal reasoning requirements employed by legal professions against the description of each ontology

IT in health care : a business enabler?

Information processing in health care demands reliable, relevant, systematic, integrated, and managed data throughout care delivery. This leads, even with IT, to increased and time-consuming activities and can cause potentially dangerous situations for the patient as important data may not be available when needed, which in turn can lead to wrong diagnostic or therapeutic decisions. Consequently, hospital IT executives must balance many competing priorities. These endeavours require, in addition to the appropriate utilisation of given IT resources, a farsighted alignment of IT issues with objectives, and a thorough understanding of uncertainties and legal obligations. This approach to integrated IT governance, IT risk management, and IT compliance (IT GRC) in the hospital Environment is the subject of the work presented here. This investigation is associated with a survey that has been conducted in 2009 and allows therefore drawing conclusions on the progress of IT GRC management in Swiss hospitals over the last 5 years. The findings revealed that IT GRC in health care is still all too often seen as the realm and sole responsibility of the CIO and the IT department. The findings proved that IT GRC has not been utilised sufficiently by the executive management of many hospitals, especially the public ones. The findings revealed the reasons for a less pervasive spread of managed IT GRC can be structured into four main categories representing the greatest barriers to a successful convergence of integrated IT GRC

A Framework for Assessing Organisational IT Governance Risk and Compliance

Ettevõtted on hakanud mõistma, et infotehnoloogias (IT) ei ole vaid tehnilised aspektid. IT haldamiseks on vaja (IT) juhtimist, (IT) riskihaldust ja (IT) vastavust. Klassikalise lähenemise kohaselt on kõigiga eraldiseisvana tegeldud, mis aga ei ole väga efektiivne – äri toodab väärtust ning kõiki protsesse püütakse optimeerida. Probleemi lahenduseks on ärimaailmast üle toodud paradigma „GRC“ (Governance – juhtimine, Risk management –riskihaldus ja Compliance – vastavus), mis need kõik omavahel ühendaks. Käesolev magistritöö esitleb süstemaatilist kirjandusülevaadet IT GRC-teemal ning selle tulemustest koostatud IT GRC raamistikku, mille eesmärgiks on lihtsustada ettevõtete pingutusi oma IT protsesside kohandamisel. Lõppkasutaja abistamiseks on loodud raamistikule ka veebirakendus, mis on abiks raamistiku kasutamisel. Loodud raamistik põhineb teaduslikel artiklitel ning on läbinud ka esmase validatsiooni.Today, enterprises have reached to understanding that Information Technology (IT) is more than just a technical issue. Disciplines such as IT governance, (IT) risk management and (IT) compliance have been established to steer it. Though, there has been some improvements, these domains are usually focused separately in silos, which raises a problem of performance and efficiency, where less business value is created due to complexity of the process flows. In order to cure it, there has been an adoption from business world, referred as “GRC” which covers all the three disciplines of governance, risk management and compliance. The paper conducts a systematic review on the discipline of IT GRC, taking out best practices. Researching what has been done to integrate them and proposing an synthesized framework from the review results. The framework, unifying the disciplines is supposed to ease the adoption of IT GRC in an enterprise, providing a structure to manage the IT and business together, thereby improve business performance. In addition to proposing an IT GRC framework, the paper presents a web application to support the framework adoption. The proposed model is based on the scientifically proven best practices of the state of the art which would give a certainty of its value. The empirical study will help to contribute to improving the effectiveness IT GRC compared to traditional approach which is commonly practiced in enterprises

The impact of regulation on growth and informality - cross-country evidence

The authors study the effects of regulation on economic growth and the relative size of the informal sector in a large sample of industrial and developing countries. Along with firm dynamics, informality is an important channel through which regulation affects macroeconomic performance and economic growth in particular. The authors conclude that a heavier regulatory burden-particularly in product and labor markets-reduces growth and induces informality. These effects are, however, mitigated as the overall institutional framework improves.Governance Indicators,National Governance,Environmental Economics&Policies,Public Sector Economics&Finance,Financial Intermediation

Blockchain-based Governance, Risk Management, and Compliance for Fractional Ownership: Design and Implementation of A Decentralized Autonomous Agent System

Fractional ownership makes homeownership more affordable. But there are challenges in a fractional ownership real estate transaction (FORET) regarding governance, risk management and compliance (GRC) processes. Centralized GRC solutions are less effective in managing the tiered structure of communications in a FORET, which can lead to principal-agent problems such as information asymmetry, risk aversion, and moral hazard. In this research we investigate how these principal-agent problems in FORET could be mitigated. Using an agency theory perspective, we adopt a design science multimethodological research approach. We propose conceptual and system artefacts to support the design and implementation of a decentralized autonomous agent system. These artefacts deliver a formal problem representation structure related to centralized GRC in fractional ownership. We illustrate our solution with a system prototype and implementation. We evaluate the research outputs and compare them with existing GRC systems. This paper contributes to the understanding of GRC in supporting fractional ownership decision making

The Implementation of Governance Risk and Compliance Information Systems (GRC IS): Adoption Lifecycle and Enterprise Value

Governance, Risk and Compliance (GRC) has become an emerging field within the IS academic community. Motivated by this research direction, the study capitalizes on the theoretical background of Enterprise Systems (ES) and extends the focus on GRC systems’ implementation (enterprise value and lifecycle). Building upon expert views on GRC IS implementation projects, the analysis indicates that the three value drivers of integration; optimization and information should be considered throughout the whole GRC IS implementation lifecycle

Compliance Requirement for Dealing with Risks, Governance and IT Compliance

The common approaches for a compliance requirement are to manage and identify the risks that an organization faces and advise them on. This paper examined and analyzed the best ways for businesses to adapt and enhance different effective compliance regulations and the key issues that must be enforced by businesses. These approaches help the organizations identify the simplest ways of compliance guidelines for organizations in order to manage and govern the risks.  Due to a massive revolution of technology it is important to notice the IT compliance. Our findings show that IT compliance adaption will help the organizations to better manage the risks and to reduce the cost of the compliance procedure

Understanding governance, risk and compliance information systems (GRC IS): the experts view

Although Governance, Risk and Compliance (GRC) is an emerging field of study within the information systems (IS) academic community, the concept behind the acronym has to still be demystified and further investigated. The study investigates GRC systems in depth by (a) reviewing the literature on existing GRC studies, and (b) presenting a field study on views about GRC application by professional experts. The aim of this exploratory study is to understand the aspects and the nature of the GRC system following an enterprise systems approach. The result of this study is a framework of particular GRC characteristics that need to be taken into consideration when these systems are put in place. This framework includes specific areas such as: goals and objectives, purpose of the system, key stakeholders, methodology and requirements prior to implementation, critical success factors and problems/barriers. Further discussion about the issues, the concerns and the diverse views on GRC would assist in developing an agenda for the future research on the GRC field