Services for Organizations

Using our research, best practices and expertise, we help you understand how to optimize your business processes using applications, information and technology. We provide advisory, education, and assessment services to rapidly identify and prioritize areas for improvement and perform vendor selection

Consulting & Strategy Sessions

Ventana On Demand

    Services for Investment Firms

    We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

    Consulting & Strategy Sessions

    Ventana On Demand

      Services for Technology Vendors

      We provide guidance using our market research and expertise to significantly improve your marketing, sales and product efforts. We offer a portfolio of advisory, research, thought leadership and digital education services to help optimize market strategy, planning and execution.

      Analyst Relations

      Demand Generation

      Product Marketing

      Market Coverage

      Request a Briefing

        Robert Kugel's Analyst Perspectives

        << Back to Blog Index

        Companies Need Unified Approach to GRC for IT

        One of the most important trends in business over the past 20 years has been the broadening use of information technology to manage and support activities. In the early decades of business computing, companies developed islands of automation for largely numeric functions such as billing, inventory management and accounting. Each ran on a proprietary system and engaged the time of a relative handful of employees. Today, just about everyone works with an IT system for at least some of their operational or administrative tasks. They rely on these systems to support many of their daily routines, from recording transactions to using analytics to provide alerts, insights and decision support.

        Because the technology is involved in a wide-ranging set of business roles and deeply woven into business processes, companies need a comprehensive approach to addressing corporate governance, risk and compliance (GRC) requirements for their IT environment. In many organizations these systems are increasingly interdependent, necessitating comprehensive controls for the entire IT environment that are coherent and efficient from the users’ standpoint and potentially more effective from the IT department’s perspective; a comprehensive approach requires less work to manage and offers fewer points of potential failure.

        The need for this kind of approach was revealed in Ventana Research’s recent GRC benchmark research, in which 25 percent of participants in IT roles said they are dissatisfied with the technology their company uses to manage GRC requirements, and another 35 percent were only somewhat satisfied with what they have. Just 4 percent said they are very satisfied; the remaining one-third (36%) are simply satisfied.

        More effective technology for control systems is valuable because well-controlled IT environments are an effective barrier to control failures in risk and business management. And comprehensive governance methodologies are not only more effective but more efficient. In the old days, IT departments had to erect barriers to protect each stand-alone proprietary system and manage and monitor them separately (if they did it at all). Today, systems can be managed holistically, replacing the many little walls around islands of automation with a single secure perimeter within which many individual systems operate. Thus, rather than having to erect and manage new walls every time new systems are added, companies already have these components in place.

        For example, companies benefit by having consistent identity management and process controls to ensure they are effectively managing and mitigating the risk of fraud, errors, omissions and intrusions. As to the last, our GRC research shows that one-fourth (26%) of very large companies (those with 10,000 or more employees) experienced a breach of data privacy or data security in the prior 12 months.

        Although some organizations have already adopted a comprehensive approach to identity management and process controls, most have not. The research shows that just 10 percent of large companies (those with 1,000 or more employees) have fully automated their identity controls, and another 43 percent have mostly automated them. The rest have limited or no automation in place.

        Historically, these issues have been handled largely as afterthoughts; we assert that this is a mistake. The importance of managing risk more effectively and the expanding list of regulatory and legal requirements corporations face have increased the need for software and systems that can provide full control, aid oversight and automate the execution of mechanical tasks. Since information technology can (and should) play an ever more integral role in governance, risk management and compliance functions, and because individual software applications and tools can (and should) be applied to these requirements, companies need to approach their GRC efforts comprehensively and consider the information technology requirements for identity and access management and process controls to be a core discipline.

        Identity and access management and process controls are two sets of IT infrastructure elements that can make risk and compliance management efforts more efficient and more effective. Companies must be certain that they give permissions and rights to the appropriate people, and that these people are who they claim to be. Thus, access controls, which depend on managing user identities effectively, are central to enforcing the separation-of-duties (SOD) controls that are applied where more than one person is required to complete a task. Historically, separation of duties was largely a finance department issue, driven by fraud concerns; today it’s a necessary part of IT department management, needed to ensure the integrity of systems – people who make changes to code can’t be the same people who certify these changes. Similar controls are needed for processes throughout a company where it’s necessary to separate duties for external regulatory or legal compliance or internal compliance and risk management.

        Process control software enables companies to monitor activities within software applications and IT systems to ensure that things are being done “by the book,” with all steps in a process defined and executed in the correct order and in a timely fashion after the required sign-offs have been obtained. The escalation in outsourcing activities and the globalization of supply chains increase the importance of these process controls to keep things from falling into cracks, and to check, inspect and document work performed by suppliers or contractors.

        Process control systems also can be used to spot suspicious activities, in real time if necessary. And such systems allow internal and external auditors to verify that controls are working. They enable easy analysis of system logs to spot suspicious activities such as intraday granting and rescinding of permissions or a higher-than-usual number of changes at the end of a month. Indeed, these are electronic versions of what auditors once used to do by hand, checking paper ledgers for erasures and examining handwriting to spot suspicious marks. Forensic accountants and other risk and fraud experts now can design controls that eliminate the need for heavy manual oversight. By having these controls in place, corporations can minimize the costly need for external and internal audits.

        Each of these basic capabilities – access control, identity management, transaction monitoring and controls monitoring – reduces the amount of audit activity needed, cuts the expense and effort of performing these tasks manually and significantly reduces the risk of fraud or errors stemming from poor or nonexistent controls. To the extent that it is feasible, we believe companies need to incorporate these infrastructure elements as a standard practice. Because IT systems are now at the center of handling most key processes, corporate governance and risk management increasingly call for a comprehensive approach on the part of IT departments. It’s time for IT departments that are lagging in their adoption of more effective controls to take a safer and more cost-effective approach.


        Robert Kugel – SVP Research


        Robert Kugel
        Executive Director, Business Research

        Robert Kugel leads business software research for Ventana Research, now part of ISG. His team covers technology and applications spanning front- and back-office enterprise functions, and he personally runs the Office of Finance area of expertise. Rob is a CFA charter holder and a published author and thought leader on integrated business planning (IBP).


        Our Analyst Perspective Policy

        • Ventana Research’s Analyst Perspectives are fact-based analysis and guidance on business, industry and technology vendor trends. Each Analyst Perspective presents the view of the analyst who is an established subject matter expert on new developments, business and technology trends, findings from our research, or best practice insights.

          Each is prepared and reviewed in accordance with Ventana Research’s strict standards for accuracy and objectivity and reviewed to ensure it delivers reliable and actionable insights. It is reviewed and edited by research management and is approved by the Chief Research Officer; no individual or organization outside of Ventana Research reviews any Analyst Perspective before it is published. If you have any issue with an Analyst Perspective, please email them to

        View Policy

        Subscribe to Email Updates

        Posts by Month

        see all

        Posts by Topic

        see all

        Analyst Perspectives Archive

        See All