Jeff Jinnett: Towards a Structured GRC Taxonomy

  • Article

Although governance, risk management and compliance laws and regulations may vary greatly depending on the jurisdiction, issuing authority, regulator and target industry, there appear to be certain common GRC issues that can be used to group mandates into categories. For example, the following nine GRC issues (with examples) may represent a useful taxonomy for the key common GRC issues: (1) corporate governance, (2) risk assessment and risk management, (3) privacy & security, (4) documentation, (5) records and information management, (6) audit and controls, (7) reporting, (8) certification, and (9) know your customer.

1. Example of Mandates Dealing With Corporate Governance:

  • Sarbanes-Oxley Act: See, e.g., Title III, Section 301 (“Public Company Audit Committees”) and Title IV (“Enhanced Financial Disclosures”), Section 407 (Disclosure of Audit Committee Financial Expert)

2. Example of Mandates Dealing With Risk Assessment and Risk Management

  •  Sarbanes-Oxley Act: See, e.g., Section 404 (“Management Assessment of Internal Controls”), which can be supplemented by the COSO Enterprise Risk Management (ERM) Framework, as per SEC Release Nos. 33-8238 and 34-47986, located at https://www.sec.gov/rules/final/33-8238.htm.
  •  HIPAA: See, e.g., HIPAA Security Rule, Section 164.308(a)(1)

3. Example of Mandates Dealing With Privacy and Security

  •  HIPAA: See HIPAA Privacy Rule and HIPAA Security Rule

4. Example of Mandates Requiring Documentation

  •  Sarbanes-Oxley Act: Sarbanes-Oxley Act: See Title IV (“Enhanced Financial Disclosures”), Section 404 (“Management Assessment of Internal Controls”) which requires the documentation of internal controls
  •  HIPAA: See, e.g., requirement to develop a written contingency plan, disaster recovery plan and data backup plan, pursuant to HIPAA Security Rule, Section 164.308(a)(7); see also HIPAA Privacy Rule, Section 164.530(j)(1)

5. Example of Mandates Dealing with Records & Information Management

  •  Sarbanes-Oxley Act: See, e.g., Title I, Section 103(2)(A)(i) (“Auditing, Quality Control, and Independence Standards and Rules”) and Title XI, Section 1102 (“Tampering With a Record or Otherwise Impeding an Official Investigation”)
  •  HIPAA: See, e.g., HIPAA Privacy Rule, Section 164.530(j)(2)

6. Example of Mandates Dealing With Audit & Controls

  •  Sarbanes-Oxley Act: See, e.g., Title II (“Auditor Independence”), which impacts how audits are performed for the company
  •  HIPAA: See, e.g., requirement to obtain a third party security evaluation, pursuant to HIPAA Security Rule, Section 164.308(a)(8)

7. Example of Mandates Requiring Reporting

  •  Sarbanes-Oxley Act: See, e.g., Title IV, Section 404(b) (“Management Assessment of Internal Controls”), which requires the auditor to prepare an attestation report on the internal control assessment of the company’s management; see also Title IV (“Enhanced Financial Disclosures”), Section 409 (“Real Time Issuer Disclosures”), which requires the issuer to disclose to the public on a “rapid and current basis” any material changes in the issuer’s financial condition or operations
  •  HIPAA: See, e.g., HIPAA Privacy Rule, Section 160.310(a)

8. Example of Mandates Requiring Certification

  •  Sarbanes-Oxley Act: See, e.g., Title IX, Section 906 (“Corporate Responsibility for Financial Reports”) (CEO/CFO certifications as to financial reports)
  •  HIPAA: See, e.g., covered entity’s self-evaluation, pursuant to HIPAA Security Rule, Section 164.308(a)(8)

9. Example of Mandates Dealing With “Know Your Customer”

  •  USA Patriot Act: See, e.g., Section 326 (“Verification of Identification”)

In order to better understand the IT and business impact of international, U.S. Federal and state laws and regulations, it could be helpful to create a database of the various laws and regulations, classified based on the above GRC categories. This would then enable corporate users of the database, for example, to analyze the overlap and duplication of all laws and regulations that require them to engage in risk assessment and risk management activities. After this analysis has been completed, the corporate users will be better prepared to apply risk management IT solutions in a focused manner against the combined and distilled risk assessment requirements of all their applicable mandates.