IT Governance, Risk and Compliance (GRC)

Governance, risk, and compliance form the backbone of modern business in the digital age, enabling outcomes. For IT professionals, strong GRC keeps IT robust, resilient, and aligned with business goals.

It shows IT systems are essential to business continuity and resilience, citing outages at DBS Bank, TSB Bank, and Singhealth that triggered regulator action and reputational risk.

highlight rising data breaches and cyber incidents amid digitization, as shown by SOC score Malaysia breach, Dell data leak via partner portal and API abuse, and Ascension Hospital ransomware.

Analyze the NHS's £10 billion disaster, the UK's largest public sector IT project canceled after delays, changing requirements, and contractor disputes, showing why two thirds of IT projects fail.

Balance resilience, cybersecurity, data protection, GDPR, and regulatory compliance while enabling agile, prioritized IT investments. Drive ROI and stay competitive in a cloud-driven, AI-influenced landscape.

Explore how governance, risk and compliance create controls over IT decisions to align investments with business needs, meet regulatory requirements, and improve performance while reducing project risk.

Examine the three pillars of GRC—governance, risk, and compliance—as integrated pillars that enable clear decision making, awareness and mitigation of risks, and adherence to laws and data privacy requirements.

Governance, risk and compliance apply to all companies, large and small, and must be tailored to each organization, from global banks to startups, with customized policies and IT decision making.

Explore how compliance and regulation ground governance, risk, and compliance in sectors like financial services, healthcare, telecommunications, and energy. Noncompliance can revoke licenses, suspend services, impose fines, or place restrictions.

Organizations increasingly depend on technology as the business backbone, accelerated by digitisation, with mobile devices and autonomous driving turning cars into high-tech, intelligent systems.

Digitisation drives rising regulation; the Securities Commission Malaysia requires entities to submit a compliance declaration to adhere to the Securities Technology Risk Management guidelines by 1 August 2024.

Examine the securities commission's technology risk management guidelines, detailing governance, risk frameworks, operations, data security, resilience, service provider management, cyber security, and compliance consequences for Malaysian financial services.

Identify the compliance landscape for your industry and location by researching licensing, regulations, and data protection laws like GDPR, MAS notices, and Cobit.

Explore how MAS governs technology risk for financial institutions in Singapore, including the Technology Risk Management Guidelines, cloud circular, outsourcing, cyber hygiene, and Personal Data Protection Act in Singapore.

Explore a mas notice on technology risk management and learn to ensure reliability, availability, and recoverability of IT systems with four-hour downtime, one hour notification, and 14-day root-cause analysis.

Explore HIPAA compliance for health data, detailing the privacy, security, and breach notification rules within 60 days and implementing technical, physical, and administrative safeguards.

Comply or die highlights the stakes of IT compliance, including potential license revocation, fines, or jail. It guides IT managers to persuade upper management with actionable suggestions and solutions.

Data privacy and protection are central in a digital world where data acts like currency. See how laws worldwide share core principles and why compliance with data protection is essential.

Explore the 2017 Equifax data breach, where hackers accessed names, Social Security numbers, addresses, and credit card details of about 143 million people, highlighting vulnerabilities in the web application.

Examine a data breach at Razer caused by misconfigured servers exposing personal data of over 100,000 gamers, discovered by a security researcher after three years, revealing gaps in monitoring.

Explore why data breaches are at an all time high, highlighting cloud misconfigurations, default settings, open ports, ransomware via phishing, and vendor-system vulnerabilities, with MIT findings on cloud-stored data.

Data protection becomes a business priority as organizations collect more data, responding to customer and regulators' demands for responsible data use, security, consent, and protections against discrimination.

Explore how the European Union's gdpr regulates data processing, protects individuals' rights, requires a data protection officer, and imposes fines up to €20 million or 4% of annual revenues.

Master the seven GDPR principles, including lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

Distinguish internal data protection policy, covering legal compliance, data protection principles, access, usage, retention, and breach handling, from public data privacy policy that reassures users and supports consent.

Identify and categorize sensitive data and apply least privilege access. Implement logging, two-factor authentication, encryption, and physical protections, then use independent audits, regular backups, staff education, and network monitoring.

Cyber security hinges on people and their behaviors as much as technology, requiring a holistic governance, risk and compliance approach to protect data and ensure security.

Examine how ransomware like WannaCry (2017) encrypts files on Windows computers, demands bitcoin payments, and risks that files may not be decrypted, urging prompt patches to prevent spread.

Phishing attacks, illustrated by the 2017 Netflix incident, steal credentials via fake emails and login pages; recognize authenticity by checking the reply-to field and URL.

A regulator takes Optus to court for customer data breaches affecting about 10 million, exposing governance, risk and compliance challenges from a publicly available unprotected API.

Cybersecurity hinges on people and process, not only technology; educate and train users to reduce basic mistakes like leaving a password on a sticky note.

Explore how a seven‑hour DDoS attack disrupted Singapore's government hospital websites by flooding a health care network with bot requests, highlighting firewall defenses and their limits.

Explore EY's top 10 cyber threats and learn why protecting customer and financial information, plus defending against phishing and malware, tackles the majority of organizational risks.

Recognize that insider threats account for about 50% of cyber threats, with 38% malicious and 44% negligent. Protect systems from employees as well as external actors.

Adopt a holistic, multi-layered approach to cyber security by enforcing seven layers: the human, perimeter, network, endpoint, application, and data security, each protecting mission critical assets.

Discuss the 2018 SingHealth data breach, affecting 1.5 million patients. Explain the inquiry findings: policy unawareness, delayed responses to suspicious logins, no incident reporting, weak access controls, and unenforced 2FA.

Implement the NCSC's ten steps to cybersecurity by securing networks. Enforce malware protection, removable media controls, secure configurations, privilege management, incident management, and monitoring for home and mobile work.

Explore the NIST Cybersecurity Framework, a practical guide with governance and six functions (identify, protect, detect, respond, recover) plus implementation examples and a checklist of best practices, 2024 version two.

Explore examples of cybersecurity best practice, including spam filters, multi-factor authentication, regular awareness training, security patches, supply chain risk, and independent security audits.

Discover how to evaluate cybersecurity tools from major providers within your budget, and leverage cloud-based solutions that are easy to access without complex installations for smaller teams.

Explore how rising IT dependence makes outages costly and why systems must be designed for resilience and business continuity to sustain 24/7/365 operations.

Outages strike giants like Amazon and Microsoft, causing sales losses during peak periods. The UK Border Force e-gates outage shows IT outages disrupt travel and border operations.

Analyze how DBS Bank's digital resilience faltered after recurring outages, including a two-day disruption to its systems, and note the regulator's six-month ban and resulting reputational damage.

Investigate how IT maintenance and continued operations trigger outages, from overnight software updates to configuration changes, across Sainsbury's, McDonald's, Greggs, and the UK Border Agency.

Assess how information technology disruptions cause broad financial and reputational harm, including $1 million per day losses, revenue, cash-flow, stock price, credit-rating impacts, breach-of-contract risks, and legal costs.

Explore how business resilience, including IT resilience, withstands disruptions from teething issues to black swan events, and how organizations should prepare for the worst while hoping for the best.

Explore how IT governance, risk and compliance balance business agility with stability, enabling rapid rollouts through agile methods and DevOps while navigating cloud-driven complexity.

Identify and implement Singapore's MAS guidelines for business continuity, assign board and senior management accountability, test plans, set recovery time objectives, and mitigate interdependency risk for wide-area disruptions.

Define metrics for business continuity by classifying services with a traffic light system, setting MTD, MRO or MWR, and determining RTOs for critical, significant, and non-critical services.

Implement redundancy to remove single points of failure with duplicates, deploy diverse data centers or cloud options, and use load balancing with cross-site backups for continuity.

Explore the ISO 22301 standard as a framework for a business continuity management system, detailing the planning lifecycle from risk identification to testing, documentation, and recovery.

Cover the 11 ISO 22301 clauses for governance, risk, and continuity, including know your organization, scope, management buy-in, objectives, BIA, risk assessment, strategy, procedures, testing, training, and continual improvement.

Identify and manage IT risks with a proactive approach, acknowledging that no system is risk-free and preparing to handle uncertainties through risk management.

Navigate the pervasive risks in the digital landscape that threaten IT systems, from outages and legacy systems to cloud, third-party, and supply chain risks, cybersecurity, operational resilience, and data protection.

Identify, assess, and manage IT risks with a proactive approach rather than reacting ad hoc, to anticipate what might go wrong and to respond and recover effectively.

Explore how aging legacy systems in airlines create risk and cascading outages, as Delta's power outage triggers widespread delays and highlights backup needs.

Compliance makes IT risk management mandatory, guided by Bank Negara Malaysia for banks, insurers, and payment providers. Key areas include board abilities, ciso designation, access control, cloud services, and cryptography.

Understand the IT threat landscape across three categories: environment, equipment, and human, covering natural disasters, fires, outages, malware, theft, and human errors.

Assess risk by evaluating the probability of a fall and its impact during aircon servicing, illustrating how risk equals probability times impact with a $5 million worst-case.

Explore the risk equation, risk equals probability times impact, and how profiles arise from high or low probability and impact. Learn to address high-risk scenarios by reducing probability or impact.

Conduct a risk assessment with a two-axis risk matrix that maps likelihood and impact to identify high, medium, and low risk areas.

Discover four general risk management strategies in IT governance: avoid, mitigate, accept with contingency plans, and transfer risk through outsourcing, while maintaining accountability.

Explore how risk controls protect assets such as data, people, infrastructure, and applications by deploying measures like encryption, boundary defense, access control, and monitoring to counter threats.

Practice proactive risk management by continually identifying IT risks, assessing their business impact, defining risk tolerance, applying preventive and contingency controls, and continuously monitoring and improving responses.

Prepare for risk and avoid surprises by having a plan, test it with tabletop drills, coordinate with vendors, and use prebuilt templates for clear customer communications.

Explore the ISO 31,000 framework for risk management, including establishing context, risk identification, risk analysis (probability and impact), risk evaluation and treatment, with ongoing stakeholder communication and monitoring.

Drive the effective and efficient use of IT by governing decisions, aligning priorities and spending, preventing project failures, and ensuring clear accountability.

Learn how to make IT decisions in governance by clarifying who makes, consults, approves, and executes them. Identify key factors, judge success, and ensure accountability.

Consider a world without governance where decisions occur in departmental silos, with little cross-department communication and reduced transparency, leading to duplication, inconsistency, and misaligned IT standards.

View IT governance as a subset of corporate governance, ensuring inclusive decision making and controls that align IT with stakeholders' interests, including shareholders, employees, suppliers, customers, and the community.

Define IT governance as a formal framework that aligns IT with business strategy and objectives, guiding investments, services, and infrastructure to support organizational goals.

IT governance aligns IT spending with business objectives to ensure effective and efficient, on-time, on-budget projects while preventing waste and misallocation of IT funds.

Align business and IT by defining what is needed to meet objectives, what stakeholders request, and what IT delivers, and address miscommunication that causes misalignment.

Apply the steering wheel analogy to IT governance, directing decisions to align with business objectives and steer resources toward an efficient and effective, controlled path.

Examine the four dimensions of IT governance: ensuring the portfolio of IT projects aligns with business needs, using the right tools and standards, building capability, and delivering measurable ROI.

Identify the five it governance decision domains: principles, business applications, investment and prioritization, architecture, and infrastructure, and show how funding, data organization, cyber security, cloud use, and outsourcing shape decisions.

Identify who makes IT governance decisions and define the decision domains. Involve budget holders and executives such as CEO, CIO, and CTO to ensure transparent, accountable IT decision making.

MIT's IT governance centers on the itgc, a 14-member co-chaired body guiding IT decisions, reporting to the provost and executive vice president and treasurer, with infrastructure, policy, and project subcommittees.

Explore six governance styles for IT decision making, from business monarchy to anarchy, and understand how organizational structure shapes who decides.

Explore governance mechanisms that structure IT decision making. See executive committees, IT councils, architecture committees, service level agreements, and budget models aligning IT with business priorities.

Explore governance design considerations that balance centralized and decentralized IT decision making, set enterprise technical standards and global licenses, and manage budgets, vendor selection, and approval processes with stakeholder accountability.

Governance bodies become committees, hampered by internal disagreement, over consultation, paperwork, and a tick-box approach to Corbett or ISO that undermines accountability and agility.

Explore how Cobit and ISO 38,500 serve as reference models for IT governance, offering customizable guidance for starting from scratch or improving current practices.

Cobit stands for control objectives for information technology, a governance framework tailored to an organization's needs. The 2019 version supports using other standards such as Prince2.

Cobit outlines six governance system principles, including delivering stakeholder value, holistic and end-to-end approach, and a dynamic governance system. Governance is distinct from management and tailored to the organization's needs.

Explore the Cobit core, a set of 40 governance and management objectives organized into five domains, including governance evaluate, direct and monitor, and the four management domains.

Discover how ISO 38500 frames IT governance with a governing body that evaluates, directs, and monitors, while management executes under governance amid regulatory obligations, business needs, and stakeholder expectations.

Discover the six ISO 38500 principles—responsibility, strategy, acquisitions, performance, conformance, and human behavior. Learn how governance structures, business alignment, and compliant, human-centered IT decisions emerge.

Choose IT projects wisely by establishing a strong business case, prioritizing high-impact initiatives, and continually monitoring progress to stop or cancel projects unlikely to deliver value, ensuring effective governance.

Explore why IT projects fail at high rates, with the 2020 Chaos Report finding 66% end in partial or total failure. Learn how IT governance helps improve project outcomes.

McKinsey and Oxford University analyzed 5,400 IT projects, revealing 45% cost overruns, 7% schedule overruns, and 56% fail to deliver expected benefits due to missing focus and misaligned stakeholder expectations.

Develop a concise project proposal that justifies a green light by detailing the problem, solution, scope, benefits, owner, sponsors, resources, costs, deliverables, plan, risks, and timeline.

Identify and justify a sound business case for every project by linking investments of resources to measurable returns, such as customer growth, efficiency gains, revenue, compliance, risk reduction, and brand value.

Identify the three magic project qualities: desirable, realistic, and feasible. The lecture links sponsor support, stakeholder buy-in, and feasible resources and timelines to project success.

Prioritize IT projects with a benefit-urgency matrix to allocate limited budgets, time, and staff, focusing on priority projects now and future projects for later.

Explore a multi-criteria approach to project selection, weighing financial return, urgency, strategic alignment, available resources, risk, and stakeholder support, with devil's advocate questions on consequences of not acting.

Decide on proposals by the project board within governance structure—green light, request more information or a revised scope, or reject—and monitor progress quarterly to continue, remediate, stop, postpone, or cancel.