As with most GRC issues, with IT GRC, it makes sense to take an enterprisewide
and integrated approach. However, managing risk and compliance issues has
generally been made more difficult by the past tendency of companies to
implement iterative and fragmented approaches to GRC, which in turn has led
to fragmentation within the IT systems and infrastructure used to support GRC.Further, compliance and risk have become more complex as customers and
suppliers seek to hold businesses more accountable in how those relationships
are carried out. An IT system must be able to handle this degree of complexity.Getting a Handle on What IT GRC Is ..........................................................
Essentially, IT GRC encompasses the technical tools (software and hardware)
and related policies and procedures used to support compliance and risk
management efforts from an IT perspective based on established best266 Part IV: Managing the Flow of Information
Learned Hand: One man’s control
is another’s negligence
A good question to ask yourself is, “I have poli-
cies and IT related controls in place, but are they
enough to satisfy regulators and auditors if
something goes wrong?” To answer that ques-
tion, we need go no farther than one of the U.S.’s
most celebrated and aptly named jurists —
Learned Hand.
Learned Hand never made it to The Show — the
Supreme Court of the United States — but he did
make it as far as chief judge for the United States
Court of Appeals for the Second Circuit, where
he made two rulings he is now famous for.The first relates to establishing negligence in a
legal context. In the United States v. Carroll
Towing, Hand established what is known as the
“calculus of negligence,” which, to paraphrase,
says that if you can create benefits or mitiga-
tions at a low cost as compared to the amount
of risk and its likelihood of occurring, and you
don’t, then you are negligent.
For example, if you operate a public storage
warehouse, installing smoke detectors and asprinkler system is a good way to respond to the
risk of fire and avoid being sued for negligence.
As this relates to technology, most Internet ser-
vice providers include spyware and antivirus
protections as a means to reduce risk and avoid
being accused of negligence. For a corporate
CEO, maintaining a strong, proactive and enter-
prisewide GRC system is one way to live up to
Hand’s calculus of negligence should something
go wrong and shareholders and regulators start
making noises.(Wondering about that second ruling Judge
Hand made? It is indeed unrelated, so forgive
the digression. The government had accused
one taxpayer of avoiding taxes because this
wily fellow used the tax code to his advantage
to avoid paying as much taxes as he could.
Hand ruled that it is not up to taxpayers to pay
as much as they can, but that it is their right to
pay as little as they can as long as they are fol-
lowing the tax code. This warms our hearts,
especially around April 15.)