The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Numerous risks are inherent in the technologies that all organizations use. These risks have especially become apparent with recent ransomware attacks, which have crippled major infrastructure such as the Colonial Pipeline in the Eastern United States1. This discussion will focus on how GRC, or governance, risk, and compliance can help organizations face and manage the risks that they face.

As GRC is broken down into three components, a discussion of each will illuminate why each is critical for risk management. The first part of GRC is governance. Governance involves ensuring that the IT organization is managed in a way that is consistent with the overall business goals.2. The overall business goals are the strategy that an organization puts in place to ensure that they enjoy a competitive advantage. It is necessary to ensure that proper controls are in place that manages risks, and that starts at the governance level, with high-level business strategies3.

From an IT perspective, risk involves IT management ensuring that any organizational activities that they conduct are consistent with the organizational business goals as just stated. This means that the IT departments’ risk management process should be a part of the corporate risk management functionality. When IT departments limit their activities to economic and technical aspects, they fail to be engaged in the organization’s strategy, which fails to fully leverage the strength and potential of the company4.

The IT department’s risk strategies, when aligned with the corporate risk management policies, work in concert to make certain that the risks identified by upper management are reflected in risk management and prevention that occurs within the IT department. One way that organizations using GRC ensure that IT remains aligned with the corporate leadership’s risk management policies and objectives is by setting specific measurable objectives that demonstrate the effectiveness of how GRC is applied in the IT context.

The final area of GRC is compliance. While often considered adherence to laws and regulations, compliance can have a true impact on risk as well. As the complexity of compliance with myriads of regulatory requirements increases, the IT department is often involved with aiding the company to meet compliance demands. The complexity of compliance demands (that come with significant penalties for failures) can often only be accomplished with the support of IT, as the IT department establishes systems and processes which can help the organization to remain in compliance. If surveillance systems are not set up and used properly and the organization is found to be out of compliance, this could cause an enormous risk of financial penalties which could be crippling for the organization5.

As this brief discussion has outlined, using GRC to manage IT departments is essential for multiple reasons. Firstly, it ensures that the IT department is aligned with the rest of the organization and its’ strategies. Second, IT organizations run using GRC ensure that their risk management activities are aligned with the corporate risk management activities so that risks identified by the leadership are addressed in IT. Finally, using GRC ensures that the IT department does its part to ensure the organization stays in compliance with regulatory demands. This will protect against the risk of costly penalties for compliance failures.


  1. Ransomware attack forces shutdown of largest fuel pipeline in the U.S. (
  2. What is GRC and why do you need it? (
  3. Corporate Governance and Risk Management: Lessons (Not) Learnt from the Financial Crisis (
  4. The impact of enterprise risk management on competitive advantage by moderating role of information technology (
  5. Dialectic Tensions in the Financial Markets: A Longitudinal Study of pre- and Post-Crisis Regulatory Technology (