Governance, Risk,
& Compliance (GRC)

What is Governance, Risk, & Compliance (GRC)?

Governance, Risk, & Compliance (GRC) is a set of capabilities, processes, and standards designed to help businesses manage risk and compliance within their organization.

Governance – policies, procedures, and rules that ensure business activities and goals are in alignment

Risk – broad assessment and management of organizational risk; For example, legal, financial, and security risks.

Compliance – the adherence to all government laws and industry regulations relevant to an organization.

The term governance, risk, and compliance was originally coined by the Open Compliance and Ethics Group (OCEG), a non-profit think tank dedicated to developing ethical approaches to business. They describe governance, risk, and compliance as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.” OCEG also developed the GRC Capability Model, which guides the planning, assessment, and improvement of GRC capabilities within an organization. The open-source standard integrates the disciplines of governance, risk, audit, compliance, ethics/culture, and IT into one unified approach.

As a broad term, governance, risk, and compliance encompasses both digital and physical security, though in this article we’ll focus on the application aspects of GRC as they relate to compliance and internal audits.

What does an Application Governance, Risk, & Compliance (GRC) implementation look like?

To understand a GRC implementation, we’ll use the Capability Maturity Model and its three phases: Get Clean, Stay Clean, and Optimize.

Get Clean

“Getting Clean” is achieved by establishing risk rulesets, executing detective risk reports and usage analysis, and documenting mitigating controls.

The risk ruleset tells you when you have a Separation of Duties (SoD) or a sensitive access risk. You can address the risks in SoD reports through either mitigation (applying a control to monitor risk for users) or remediation (removing the access causing the risk). And then, you will need to document the controls that help you address those risks.

Establish Rulesets

Execute SOD Risk Assessments

Document Mitigating Controls

Address Risk in SOD Reports

Steps in the Get Clean phase

To meet the goal of a standardized and measured risk environment, you will need to assess the current risk environment for single and cross-application SoDs, establish a risk management approach, and address the risks detected in the current environment. The result is a clean state, meaning you have no unknown risks in your environment. Risks have been quantified and addressed, either by removing the risk through remediation or by addressing it with a mitigating control, which will monitor it for you. Once you’ve done that, you need to stay clean.

Stay Clean

Now that you’ve done the detective work, you can “Stay Clean” by moving forward into an automated provisioning and risk management process. This step enables you to implement preventative risk checks during access provisioning, ensuring that you’re addressing the risks of anyone who’s coming in or moving around in the business in a preventive and proactive manner.

To succeed, you’ll need a solution that ensures no stale access remains assigned for users as job responsibilities change. This is done by revalidating their access on an audit-approved frequency with access certifications (also called User Access Reviews or UARs). With automated provisioning and risk management processes, you can address joiner, mover, and leaver events in access requests workflows – through access provisioning and deprovisioning.

Utilize Access Request Workflows

Enable Certification

Enable Emergency Access

Address Risk in SOD Reports

Steps in the Stay Clean phase

For example, when someone changes jobs (a mover) within an organization, they may get their new access but their legacy access isn’t removed, which increases risk in the environment. By using access certifications on a standardized basis, that access is reviewed and reapproved or removed. So a solution that offers automated provisioning and access reviews keeps your access clean and removes anything that’s stale.

Another scenario involves utilizing emergency access requests, also referred to as firefighter or elevated access requests. Such requests are granted on an emergency basis and are rescinded when the emergency situation is resolved, reducing risk. Regular access certification and use of emergency access management processes ensure that no standing elevated access is allowed and that critical access is limited, which keeps the environment secure. Again, as your process matures and you begin managing all of your users, you can review essential access more closely.

Another critical capability to help you “stay clean” is usage tracking. Usage tracking ensures access requests and recertifications get reviewed to determine if the access is being utilized and is truly necessary or if removal can reduce the overall risk exposure. Once these capabilities are achieved, you have established a controlled and repeatable set of processes for providing access reviews and elevated access. Now you must keep your system optimized on an ongoing basis.

Optimize

The focus of the optimization phase is on continuous compliance monitoring through further cleanup of unused or excessive access. This stage can be accomplished with a solution that offers built-in controls, integrated risk simulations, and role entitlement / engineering management tools. These allow you to focus on continually improving your environment after establishing a documented, repeatable, and automated risk management process. A solution that can provide role mining views and access analytics reporting is ideal here. Additionally, the environment can be further optimized by a solution that provides license cleanup and realignment reviews.

Process Improvement & Optimization

Utilize Access Analytics

Utilize Role Mining / Engineering

Steps in the Optimize phase

Out-of-the-box compliance controls provide visibility for SOX, HIPAA, GDPR, and other regulatory requirements. Integrated risk simulations allow for review of possible role or user changes and the SoD risk impact of those changes, prior to submitting requests. Additionally, role entitlement / engineering management tools allow for deep-dive analysis to review existing entitlement design and determine if adjustments should be considered based on usage of various user groups. Each of these features supports the ongoing optimization and management of your application environments.

At this point, you’ve addressed existing detected risks – and implemented preventative risk detection, automated access provisioning, certifications, and emergency access requests. So you can now optimize the environment by managing and monitoring environmental controls on an ongoing basis, establishing a complete customer lifecycle end-to-end, and avoiding gaps that may result in audit and compliance concerns.

Why is Application Governance, Risk, & Compliance (GRC) important to your business?

Virtually every enterprise has begun their cloud journey with business applications that are the cornerstones of their operations. Be it ERP, HR, Service Ticketing, or EMR, these applications and infrastructure resources represent most of today’s business applications and many have made their way to the cloud, while others are still on-premises The Hybrid IT environment has come to fruition, and along with it come some risks.

First and foremost, organizations must manage risks associated with Separation of Duties. Important business tasks need to involve more than one actor, and follow rulesets that ensure there is visibility into both potential and actual security risks. Innovative application GRC solutions provide visibility into SoD risks, and a way to ensure the right people have the right access to sensitive and privileged data, apps, and infrastructure at the right time.

Another important challenge organizations struggle with is that different application providers use different GRC security models, and they each speak their own language. SAP does it one way, Oracle does it another way, etc. Given the cloud ecosystem and sheer volume of applications that require different approaches to GRC, a broad solution that provides rulesets for detecting SoD violations is required. To understand this better, let’s compare the traditional coarse-grained approach with the more evolved fine-grained approach.

Many GRC implementations use a coarse-grained approach. They are only interacting at the highest levels of the application’s security model. On the other hand, Saviynt provides cross-application governance, risk, and compliance to leverage a fine-grained approach that looks for potential violations much deeper in the application security model, making it more likely to find potential problems before they become actual risks.

Saviynt & Governance, Risk, & Compliance (GRC)

Traditionally GRC programs are applied to individual ERP environments and applications. Saviynt’s AAG solution builds on this approach by enabling cross-functional support of multiple ERP environments and applications. It’s a GRC-inspired solution built for an enterprise that increasingly lives in the cloud.

Saviynt goes BROAD – being cross-application, with rulesets for 15+ apps, and DEEP – into the business process, making it more likely to find SoD violations, while breaking up workflows to involve more than one actor. Our AAG solution identifies both potential and actual SoD risks.

The AAG solution protects data security and privacy by setting access controls that limit users’ access to the organization’s on-premises, hybrid, cloud services, systems, networks, and software. The solution helps organizations achieve compliance across all cloud and on-premises applications — and provides organizations with cross-application GRC capabilities.

Mitigate risk across applications

Reduce segregation of duties (SoD) risks with out-of-the-box risk & security controls

Manage Real-time Emergency Access

Use Break-the-Glass provisioning capabilities to control temporary access & continually monitor access

Guide Decisions with Insights

Bring critical risks forward for remediation & optimize your security team’s workload

Deploy Cloud-First Application Access

Guard enterprise apps with cloud-architecture in ways that legacy systems can’t

Control Access to Limit Risks

Utilize risk-aware certifications, license management, and alerts on risky requests

Ensure Audit-Ready Cross-Application Compliance

Manage multiple applications and give compliance managers the reports they need

Questions People Often Ask About Governance, Risk, & Compliance (GRC)

What’s the difference between application governance risk and compliance vs traditional GRC?

Application governance risk and compliance focuses on managing the risk and compliance issues related to identity and access of applications, whereas traditional GRC broadly addresses all security surfaces, including physical security.

When you onboard applications, what are the inherent risks?

See our post on onboarding for a detailed breakdown of the inherent risks associated with onboarding both humans and non-humans.

How does AAG help with compliance?

Out-of-the-box compliance controls provide visibility for SOX, HIPAA, GDPR, and other regulatory requirements. Integrated risk simulations allow for review of possible role or user changes and the SoD risk impact of those changes, prior to submitting requests. Additionally, role entitlement / engineering management tools allow for deep-dive analysis to review existing entitlement design and determine if adjustments should be considered based on usage of various user groups. Each of these features supports the ongoing optimization and management of your application environments.

How does Saviynt handle out-of-the-box rulesets vs custom rulesets?

Companies use rulesets to ensure that an action taken by a user doesn’t create a Separation of Duty violation when the user takes another action. For example, to reduce fraud, a company may have a ruleset that prevents a user from creating an invoice and then paying that invoice. Saviynt provides out-of-the-box rulesets for most of the major SaaS ERP and EHR/EMR solutions that are available today. This saves companies time and effort over building their own rulesets. Many organizations have custom rulesets for their applications that they have created over time. Saviynt’s AAG solution has the ability to ingest these custom rulesets so they work alongside our out-of-the-box rulesets.

Schedule a Demo

Ready to see our solutions in action?

Saviynt named a Gartner® Peer Insights™ Customers’ Choice: IGA Learn More >