SOURCE: Symantec

May 15, 2008 08:00 ET

New Research Highlights the Business Benefits of Continuously Improving IT GRC Practices

More Mature Practices for Managing IT Equal Better Business Results and Lower Financial Risks

CUPERTINO, CA--(Marketwire - May 15, 2008) - The IT Policy Compliance Group today announced the availability of its 2008 annual research report titled "IT Governance, Risk and Compliance - Improving business results and mitigating financial risk." IT governance, risk and compliance (IT GRC) is about striking an appropriate balance between business reward and risk. The maturity of IT GRC practices and capabilities are having a direct impact on the fortunes of organizations.

Primary benchmark research conducted by the IT Policy Compliance Group shows that the way to improve business results and reduce financial risk, loss and expense is to increase or enhance the competencies, practices and capabilities governing the use and disposition of IT resources. The report, which incorporates responses from more than 2,600 global organizations, measures the impact that improvements to data protection, regulatory compliance and IT service level resiliency have had on business results, including: customer satisfaction, customer retention, revenue, expenses and profits.

The raw scores from the report clearly show that firms with better IT GRC results are enjoying much better performance when it comes to satisfying customers, retaining customers, and growing revenues and profits, than all other organizations. Based on the evidence, from least mature to most mature, the top organizational functions that make the most difference to improving IT GRC maturity include senior management, managers and directors in IT, legal counsel and the audit committee.


  • 17 percent higher revenues
  • 14 percent higher profits
  • 18 percent higher customer satisfaction rates
  • 17 percent higher customer retention levels
  • 96 percent lower financial losses from the loss or theft of customer data
  • 50 times less likely to have customer data stolen or lost
  • 50 percent less spent on regulatory compliance annually


  • Use a Balanced Scorecard to improve the delivery of value from IT
  • Staff the governance committee from senior business, financial, legal, IT, regulatory and audit committee members
  • Drive improvements to business outcomes with a measurable, continuous quality improvement program throughout IT
  • Insist on monthly measurement and reporting to drive improvements
  • Increase and automate technology controls to mitigate and avoid financial risk, brand damage and business disruptions
  • Improve the skills and automate activities within IT assurance, audit and risk management
  • Segment and limit access to sensitive data, where possible, to reduce exposure and costs
  • Manage change management and prevention of unauthorized change to avoid higher financial risks and cost inefficiencies
  • Continuously measure the effectiveness of controls to maintain an appropriate balance between reward and risk

In addition to this research report, the IT Policy Compliance Group has leveraged the primary benchmark data collected during the past two years to create a GRC Capability Maturity Model which can be used by organizations to assess maturity levels and the specific practices, competencies and capabilities associated with each maturity level.


  • "IT GRC is about managing the business of IT, including its top-line and bottom-line contributions," said Jim Hurley, managing director, IT Policy Compliance Group and principal research manager at Symantec. "The latest research conducted by the IT Policy Compliance Group provides a factual basis to assess the maturity of current practices, the business outcomes related to existing practices, and the ability to reliably identify the practices and capabilities that are delivering the most value."
  • "Fundamentally, IT GRC is concerned with two objectives: delivering value to the business and mitigating business risks from IT," said Everett Johnson, CPA, immediate past president of ISACA and the IT Governance Institute. "Successful organizations accomplish these goals by aligning the business and IT strategy, and embedding accountability for effective IT into the organization, beginning with top leadership."
  • "These findings reinforce that information security and privacy are critical business issues that are most effectively and efficiently addressed with well managed IT compliance programs," said Rocco Grillo, managing director within Protiviti's IT security practice. "The study's results support empirically what we are seeing in the marketplace, notably, that protecting sensitive data is becoming the biggest priority in IT compliance. This no doubt is a result of costly data breaches and post-breach remediation requirements, as well as PCI and other regulatory compliance requirements."
  • "This report correlates with what The IIA has found to be true - mature organizations are using a top-down, risk-based approach to their audit work which is enabling them to be more efficient and effective in their compliance and risk management practices," said IIA director of Standards and Guidance, Heriot Prentice, MIIA, FIIA, QiCA. "Organizations considered 'best in class' typically strive to get things right the first time, and properly investing upfront in proper internal controls can certainly help protect data, reduce financial risk, and increase profitability."


To find out more about IT GRC, visit the following resources:


Topics researched by the IT Policy Compliance Group benchmarks are part of an ongoing research calendar established by input from supporting members, advisory members, general members of the group, as well as from findings compiled from ongoing research. The most recent benchmarks included in this report were conducted between December 2007 and March 2008 with 558 separate, qualifying organizations. The consistent findings related to tracking questions from earlier benchmarks conducted between June 2007 and March 2008 with up to 2,608 separate firms have been included, but only where errors do not skew results from the research. The majority of organizations (90 percent) participating in the benchmarks are located in North America and the remaining ten percent of the participants for the research findings come from countries located in Africa, Asia Pacific, Europe, the Middle East and South America.


The IT Policy Compliance Group is dedicated to promoting the development of research and information that will help organizations to meet their policy and regulatory compliance goals. The IT Policy Compliance Group focuses on assisting member organizations to improve business, governance, risk management and compliance results based on fact-based benchmarks. It is supported by several leading organizations including: the Computer Security Institute, The Institute of Internal Auditors, Protiviti, ISACA, IT Governance Institute, and Symantec Corporation (NASDAQ: SYMC). More information is available at

NOTE TO EDITORS: If you would like additional information on the IT Policy Compliance Group, please visit the About Us section of the Web site at

Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

Contact Information