An introduction to the MOF GRC SMF

The guidance in Microsoft Operations Framework (MOF) encompasses all the activities and processes involved in managing an IT service. It’s conception, development, operation, maintenance, and ultimately its retirement. MOF organises these activities and processes into Service Management Functions (SMFs), which are grouped together in phases that mirror the IT service lifecycle. Each SMF is anchored within a lifecycle phase and contains a unique set of goals and outcomes supporting the objectives of that phase. An IT service’s readiness to move from one phase to the next is confirmed by management reviews, which ensure that goals are being achieved in an appropriate fashion and that IT’s goals are aligned with the goals of the organisation.

MOF begins with the Plan phase and our previous blog articles in this series explain the role of the Microsoft Operations Framework (MOF), service management functions (SMF’s) and introduce the Planning SMF which is the first step in implementing MOF within your business. If the topics introduced below don’t make sense or perhaps you feel they’re missing context then please refer to the following articles for background context and explanation.

Blog Article 1: What’s your ITIL IQ®? Meet MOF

Blog Article 2: The MOF Plan Phase

Blog Article 7: The MOF Deliver Phase

Blog Article 13: The MOF Operate Phase

Blog Article 18: The MOF Manage Layer

Overview of the MOF GRC SMF

The Governance, Risk, and Compliance (GRC) SMF belongs to the Manage Layer, the foundation of the MOF IT service lifecycle. The following figure shows the place of the GRC SMF within the Manage Layer, as well as the location of the Manage Layer within the IT service lifecycle.


Figure 1. Position of the GRC SMF within the IT service lifecycle

Why Use the GRC SMF?

This SMF should be useful to those who make trade off decisions for how IT resources will be used to meet goals and deliver business value; for those needing to manage risk from  many sources, not only IT security risk; and for those who need to make sure IT activities comply with regulations and directives. This SMF discusses guidelines and principles for GRC to be performed during processes and activities throughout the IT service lifecycle.

It addresses how to do the following:

  • Establish IT governance.
  • Assess, monitor, and control risk.
  • Comply with directives.
GRC Overview

Governance, risk, and compliance are potentially far reaching and interwoven activities that require participation by everyone in the organisation. Establishing a common understanding of such a broad topic can be challenging. To help clarify the subject, the following sections break down the scope of GRC and discuss:

  • What defines IT GRC.
  • Why the three activities are considered together.
  • Different IT roles and their respective GRC perspectives.
  • How GRC fits into the IT service lifecycle.
What Is GRC?

IT governance is a senior management level activity that, when well performed, clarifies who holds the authority to make decisions, determines accountability for actions and responsibility for outcomes, and addresses how expected performance will be evaluated. Most organisations accomplish IT governance by creating groups, such as steering committees, that bring the right parties together to make decisions.

Organisation wide governance establishes, among other things, positive outcome and growth expectations, chosen avenues to improve customer satisfaction, new products, and market development. All areas where IT can make a significant contribution when all governance efforts are coordinated.

Governing activities happen whether planned or not. Lack of planned governance processes can result in arbitrary goal setting and decision making, political turf battles, and wasted resources from confused and conflicting efforts. Planned governance should result in:

  • Consistent policies that work together effectively.
  • Clear and accountable decision making with an agreed-upon plan for making trade offs.
  • Well communicated management objectives.
  • Established expectations for performance and evaluating compliance.
  • Clear expectations for acceptable behavior in pursuit of management’s goals.

Risk represents possible adverse impacts on reaching goals and can arise from actions taken or not taken. Organisations use governance processes to decide priorities and the level of effort that should go into reducing the likelihood and magnitude of risk impacts.

Good governance processes seek out risk and provide open discussions and clear approaches to addressing risk. A culture of risk management helps prevent willful ignorance of risk, or intentional concealment of risk, and reduces the number of unknown risks that may result in negative consequences.

Internal controls are the processes and systems that exist to address risks and to influence or mitigate potential outcomes. In the most general sense, internal controls provide the means by which management objectives are reliably achieved and, in doing so, contribute to positive outcomes for stakeholders.

Compliance is a process that makes sure individuals are aware of regulations, policies, and procedures that must be followed as a result of senior management’s decisions. Compliance is also the evaluation of what is actually happening in the organisation compared with the intended results laid out by management’s objectives, policies, and regulatory requirements.

IT compliance efforts will be enhanced if the organisation has clearly established and communicated expectations for IT and policies that must be followed, and if it has proactively developed ways to evaluate performance and decision making.

Factors external to organisations, such as regulations, standards, and industry best practices, have impact on how work is done. These factors are more effectively evaluated and implemented when adequate GRC processes are in place. For instance, there are a number of bodies and regulations concerned with data reliability and organisational trustworthiness. IT organisations may need to respond to a variety of regulatory bodies from the Information Commissioners Office (ICO), the European Union (EU), and may need to address data management requirements and regulations as varied as the EU GDPR, the Data Protection Act, Basel I/II, and Sarbanes Oxley (SOX). GRC activities can help companies (and their IT departments) become:

  • Better custodians of data.
  • More aligned with regulations.
  • Better equipped to achieve management objectives.
  • Less susceptible to fraudulent acts.
Why Are These Activities Grouped Together as GRC?

The three practices that make up GRC, governance, risk management, and compliance, share common and interrelated tasks. Because governance, risk, and compliance have overlapping areas of responsibility and process, they are more effective when they are integrated and dealt with as combined practices. This decreases data islands and silos of activity that ultimately slow down organisational responsiveness and contribute to greater risk by obscuring risk identification and producing inadequate risk impact assessments. Combining can streamline processes and provide transparency and accountability in an organisation. It accomplishes this by:

  • Bringing the right groups of people together (governance) to clarify what needs to happen and evaluate what could get in the way (risk management).
  • Helping the organisation determine resource commitments (governance) needed to ensure its goals are achieved (risk management).
  • Making it clear (governance and compliance) what processes and activities should or should not happen (risk management and compliance).
  • Capturing and documenting processes and their results as evidence (compliance).

When an organisation addresses IT GRC activities, several pivotal questions help establish context. Answering these questions most likely will require conversations with groups external to IT, such as internal audit, legal, compliance, and HR. These questions are:

  • What is our organisation’s governance plan—who decides how and what to decide?
  • What is our organisation’s risk tolerance—where can we accept more risk, and in which areas should we be more cautious?
  • Are there specific regulatory and compliance issues that apply to our industry?
  • What is our compliance culture—that is, how do we determine that we’re doing what we said we would do?

By answering these questions and working on integrated GRC plans, the alignment of IT and business goals is improved because the right people are making the right decisions at the right time.

Who Should Care About GRC?

Although everyone in an organisation is involved in IT GRC activities at some level, GRC requires three core groups to be effective: Executives, IT managers, and IT professionals. These three organisational roles have different concerns and involvement related to GRC.

The IT professional’s GRC role emphasises applying the decisions that have been made through governance processes to day-to-day activities and procedures. IT professionals are focused on the compliance aspects of GRC and using in depth technical knowledge to help identify and mitigate risks and to find ways to efficiently automate controls. They ensure that activities and systems operate within the guidelines that have been established in the GRC process. They have specialised knowledge that can be used to refine controls based on technological capabilities or constraints.

IT managers often participate in GRC groups that make trade off decisions. A chief mandate for management is to translate strategic goals (established at the executive and board levels) into tactical and tangible directives and policies that will result in services, solutions, policies, and day-to-day activities. IT managers drive the translation of strategic goals into tactical goals, drive the analysis of risk to those goals, and drive identification of internal controls to mitigate those risks.

Finally, at the executive level, the CIO has responsibility for the entire GRC process within IT. The right structures must be established to bring the appropriate people together at the right time to effectively guide the realisation of strategy. The CIO should make sure that risk management is part of the discussion in these governance forums as a tool to help inform choices and move toward a common denominator for making trade off decisions.

In addition, the CIO must be aware of assurance (audit) functions, which evaluate objectives, internal controls, and their design and operating effectiveness. Audit provides findings and recommendations to the executive and board levels so that the organisation will benefit from intelligent, intentional management. Similar assurance assessments help provide shareholders and other interested external parties a view into an organisation’s functioning. CIO awareness of assurance findings ensures that the organisation’s approach to governance is set at the top level, and that GRC activities are understood and used at every level.

What Is the Relationship of the GRC SMF to the IT Lifecycle?

Each phase of the IT service lifecycle has its own goals and activities. Although groups and people might vary by phase and activity and inputs and outputs might differ, the importance of having clarity about decision making, risk management, and ensuring compliance does not change.

In the Plan Phase, the goal is to make sure that the IT services offered to the business are valuable, predictable, reliable, and cost-effective, and that they respond to ever changing business needs.

To help meet this goal, the GRC focus is on:

  • Corporate strategy transfer to IT strategy.
  • Governance structure and decision rights.
  • Management objectives defined.
  • Major risks to achieving objectives identified.
  • General regulatory environment.
  • Policy defined.

In the Deliver Phase, the goal is to make sure that those IT services that the business and IT have agreed on are developed effectively, deployed successfully, and ready for Operations.

In this phase, the GRC focus is on:

  • Solution architecture supporting organisational requirements.
  • Project stakeholders, methodology, and identified risks.
  • The value realisation process.
  • The service development life cycle.
  • Risk mitigation.
  • Defining internal controls.
  • Defining procedures.

In the Operate Phase, the goal is to make sure that deployed services are operated, maintained, and supported in line with the SLA targets set by the business and IT.

In this phase, the GRC focus is on:

  • Procedures and control activities.
  • Recording and documentation.
  • Retention of evidence that the control operates as designed.

GRC creates organised process flows in all phases of the lifecycle by aiding decision making, balancing trade offs, grounding strategy by managing risks, and making sure risk management is appropriate for the activities at hand. By attending to these GRC activities, IT is better able to contribute to the long term viability and improvement of the organisation and is able to clearly state, “This is how we run IT and manage risk.”

GRC SMF Role Types

The primary Team SMF accountabilities that apply to GRC are the Management Accountability and the Compliance Accountability. The role types within these accountabilities and their primary activities within this SMF are displayed in the following tables.

Table 1. Management Accountability and Its Attendant Role Types

Role Type Responsibilities Role in this SMF
IT Executive Officer

·        Sponsors IT GRC

·        Approves structures and overall processes

·        Uses metrics and benchmarking to evaluate GRC performance

·        Engages in decision making

·        Owns GRC processes guide and IT decision making

·        Ensures clear ownership and accountability

·        Clear trends in GRC performance

·        Ensures that improvement roadmap is in place

IT Manager

·        Manages governance processes

·        Identifies and engages GRC participants

·        Manages risk and IT business value realisation dependencies

·        Owns business/IT relationship

·        Uses metrics to evaluate GRC performance

·        Ensures GRC is integrated into management decisions

·        Ensures that state of compliance is understood

·        Facilitates Business/IT alignment through GRC processes

·        Ensures that GRC metrics are used for reporting and improvement planning

IT Policy Manager ·        Understands GRC trade-off decisions and the resulting positions that are reflected in policy ·        Ensures that policies reflect results of GRC process and effectively direct organisation toward appropriate activities
IT Risk and Compliance Manager

·        Manages overall risk management and compliance programs

·        Communicates GRC processes and requirements to organisation

·        Ensures well-communicated GRC processes and expectations

·        Makes sure that individuals understand their GRC responsibilities and take action accordingly

Assurance and Reporting

·        Validates design and operating effectiveness of GRC structures and processes

·        Recommends changes for improvement

·        Endures that GRC is constantly under review and continually being improved
Change Manager ·        Manages the activities of the change management process for the IT organisation

·        Ensures that GRC processes result in change that is understood

·        Ensures that risks are managed

Configuration Administrator

·        Tracks what is changing and its impact

·        Tracks configuration items (CIs)

·        Updates CMS

·        Ensures that GRC results in change that is approved and results in a known state at all times

Table 2. Compliance Accountability and Its Attendant Role Types

Role Type Responsibilities Role in this SMF
IT Executive Officer

·        Communicates IT strategy and approves IT management objectives

·        Approves policy

·        Establishes tone-at-the-top for the culture of control and compliance

·        Ensures that consistent progress toward strategic goals is achieved through appropriate and desired activities
IT Manager

·        Enforces policy communication and compliance

·        Evaluates policy adherence and effectiveness

·        Requests changes to policy or exceptions

·        Enforces compliance to directives and policies

·        Ensures predictable and reliable results that are achieved through appropriate means

·        Ensures that policy violations are addressed effectively and timely

IT Risk and Compliance Manager

·        Manages overall risk and compliance programs

·        Makes sure individuals are trained on and understand compliance mandates

·        Reviews unanticipated risk events and non-compliance issues to identify improvements to processes

·        Makes sure that risk and compliance efforts are coordinated and consistent with each other

·        Provides sufficient training and  preparation to maintain compliance

·        Ensures that unanticipated events are addressed

IT Policy Manager

·        Manages overall policy processes

·        Owns communication of policy to the organisation and feedback on policy issues

·        Coordinates the management of policy exception requests

·        Makes sure that policies are clear, current, and well-understood so that they result in appropriate behavior
Assurance and Reporting

·        Investigates policy non-compliance and circumvention

·        Issues reports and recommends changes

·        Owns independent validation of compliance

·        Detects fraud or intentional unpermitted activity

 Goals of GRC

The overarching goal of GRC is to provide IT services that are effective, efficient, and compliant. Specifically, this involves:

  • Establishing clear and effective decision making in the management of IT assets.
  • Managing risk effectively.
  • Complying with applicable policies, laws, and regulations.

Table 3. Outcomes and Measures of the GRC SMF Goals

Outcomes Measures
Sound governance

·        IT activities yield expected returns on investment

·        Use of IT assets meets forecasts

·        Decision making is timely and does not require re-examination

·        Confidentiality, integrity, and availability of IT assets are congruent with business needs and directives

·        Polices are created and managed in a timely fashion

Effective risk management

·        Proactive identification and management of potential threats and vulnerabilities to the assets of the enterprise

·        Clear and documented process for identifying risk; determining impact and probability; prioritising and managing through mitigation, transfer, or acceptance; and identifying appropriate controls and solutions

·        Confidentiality, integrity, and availability of IT assets

Compliance with regulations, laws, and policies

·        Management of the impact of laws and regulations on business value realisation

·        Identification of applicable organisational policies, laws, and regulations

·        Design, development, and deployment of IT assets that support compliance to laws and regulations

·        Reporting of measurable controls for audit and management

Key Terms

The following table contains definitions of key terms found in this guide.

Table 4. Key Terms

Term Definition
Compliance Processes that ensure IT’s conformance with governmental regulations, laws, and company-specific policies—in other words, a means to inform individuals regarding appropriate activity and also ensure that the organisation is actually doing what it has said it will do.
Contingency A process that prepares an organisation to respond coherently to planned outcomes as well as unplanned incidents.
Evidence Testable proof that policies and processes are working as expected.
Governance Governance specifies who should make decisions and how, how to communicate effectively and when that should happen, and how to track IT’s progress against business objectives.
IT assets Any company-owned information, data, intellectual property, system, or machine that is used in the course of business activities.
IT controls A specific activity performed by people or systems designed to ensure that business objectives are being met.
Mitigation Processes or activities that are established for the purpose of reducing the potential consequences of a risk by reducing the likelihood or impact of the risk.
Risk The possibility of adverse effects on business or IT objectives. Risk is measured in terms of impact, likelihood, and exposure.
Risk management

An organisation’s efforts to address risk in the IT environment.


Relating Governance, Risk, and Compliance


Figure 2. The relationship between governance, risk, and compliance

From a process standpoint, GRC is different from many of the MOF SMF’s. Its application is not, strictly speaking, a sequential flow, i.e. first A happens, then B, then C. Instead, as Figure 2 shows, it is three separate sets of processes (governance, risk, and compliance) any of which can take place simultaneously or in tandem with the other processes.

For ease of understanding, however, this SMF will discuss these interconnected activities as separate processes:

  • Establish IT governance.
  • Assess, monitor, and control risk.
  • Comply with directives.
Process 1: Establish IT Governance

Governance describes the leadership, decision making structure, processes, and accountability that determine how an organisation gets work done. Governance starts at the top, but it requires participation at every level of the organisation. The nature of the decisions made and information passed to other GRC participants is portrayed in Figure 3. As it shows, there are ways for all members of the organisation to contribute to successful governance.

Looking at the various groups that pass information across the organisation shows that it is helpful to have a common way to communicate about GRC information. This GRC SMF focuses on the mechanisms for connecting these levels using risk management and control activities, which results in better decision making and the establishment of accountability for results.


Figure 3. The governance environment: participants and information types

IT governance can be enhanced through the clarification of objectives, roles, and responsibilities and through the application of risk management across the IT service lifecycle. This ensures that IT is able to understand business strategy and requirements, deliver value to the business while mitigating IT risks, and establish accountability throughout the lifecycle.

In everyday terms, these concepts will be made more concrete by the specific role and activities involved. For example, the IT professional setting up Microsoft® Office 365 mailboxes will need to know the policies regarding e-mail retention and purging and ensure that these policies are effectively enforced through configuration rules and Group Policy.

The IT manager needs to be aware of management’s objectives regarding corporate communications and what regulatory requirements might be involved in order to make sure that appropriate legal opinion is brought to bear so that required policies are developed.

The CIO and other executives must make their determination that their organisation’s strategy and any regulation affecting corporate communication is rational and that they have set appropriate direction and policy for the rest of the organisation to follow.


Figure 4. Establish IT governance

Activities: Establish IT Governance

At the activity level, IT governance processes help align IT with the business through the decision-making process used to define actions for achieving strategic goals. This alignment happens through trade off discussions and decision making. As mentioned before, governance is a management process that defines decision rights, makes sure that risk tolerance has been factored into the decisions, and provides a way to set expectations that can be assessed through a compliance process. Establishing the governance structure and process should be done before decisions need to be made. Doing this will help identify the appropriate business and IT representatives who will jointly make decisions and be held accountable. The results of governance activities ultimately affect how initiatives and technologies are chosen and provide the context for the most prized IT resource, people, to realise opportunities and benefits.

The process to establish IT governance includes the following activities:

  • Setting vision. Setting vision is not window dressing. This activity determines the overall governance structure for IT and creates decision making power and accountability. The culture of the IT organisation will be heavily influenced by the way governance is embraced and put into action.
  • Aligning IT to the business. This activity will also determine the suitability of the fit between overall governance for the organisation and IT governance specifically. IT governance will suffer if this coordination is not established.
  • Identifying regulations and standards. Industry specific regulatory requirements and standards play a critical role in gauging the exactness and rigor required for IT governance. These factors need to be examined and appropriately applied.
  • Creating policy. Getting policy right helps guide performance that delivers results based on expected behaviors and appropriate resource use.

Table 5. Activities and Considerations for Establishing IT Governance

Activities Considerations

·        The organisation is subject to regulatory or other external requirements for governance

·        Management wants a clear understanding of the way IT is run

·        Business management wants to understand the contribution IT makes to business results

Set vision

Key questions:

·        What are the top strategic goals of the business?

·        What level of formality is needed to meet GRC requirements?

·        How is IT value realisation measured?

·        How should IT performance be measured?


·        Clear strategic business goals

·        Relevant requirements from applicable standards and regulatory bodies

·        History of organisation’s compliance (or non-compliance)

·        Indication of organisation’s risk tolerance

·        Internal audit’s recommendations for governance

·        Defined approach for measuring value realisation

·        Defined performance indicators


·        Structure of forums for governance activities

·        Governance policies and communication plans

·        General plan for IT risk management

·        Accountability for governance decisions

·        Performance monitoring and metrics

·        Value realisation requirements

·        IT governance charter and owner

Best practices:

·        Understandable goals and clear implications require good communication. Give plenty of opportunities to ask questions, restate, and paraphrase.

·        When possible, map IT governance activities to existing business processes for strategy, planning, and decision making.

·        Design the information architecture so that performance monitoring and regulatory compliance monitoring can make use of the same information when possible.

·        For more information about vision setting and strategy alignment, see the MOF Business/IT Alignment Service Management Function.

Align IT to the business

Key questions:

·        Which key stakeholders are needed to make trade off decisions?

·        Which qualifying and decision making processes does the business use to determine general initiatives and projects?

·        What is the organisation’s approach to risk? What is its culture of compliance to directives?


·        Business prioritised goals, management directives, and identified owners

·        Legal’s interpretation of regulatory requirements

·        Clear compliance requirements from the perspective of both business and IT


·        Identified participants for various governance meetings (such as steering committees)

·        Coordinated business and IT planning activities

·        Factors to be considered in IT strategic planning

·        Clearly understood roles and responsibilities between business and IT

Best practices:

·        Reduce political turf battles by bringing stakeholders together with a clear process for determining trade offs and agreed upon escalation paths.

·        Business/IT alignment can occur across many levels of an organisation; provide a forum for discussion at multiple levels.

·        For more information about vision setting and strategy alignment, see the MOF Business/IT Alignment Service Management Function.

Identify regulations and standards

Key questions:

·        What industry based standards or regulatory requirements are drivers for the organisation?

·        Is there a generally accepted framework (such as ISO 20000) that maps well to the organisation in terms of both industry and company compliance culture?


·        Business representation of regulatory requirements for the business

·        IT analysis of IT service management frameworks

·        IT capabilities and constraints: skills and technologies


·        A governance framework that represents the least organisational burden for the greatest benefit to efficiency, effectiveness, compliance, and alignment with the business

Best practices:

·        Frameworks are starting points. They provide the core concepts that then require elaboration and application to the realities of the specific organisation.

·        A deep understanding of company and industry factors is needed to adapt the framework to the unique considerations of one’s own company.

·        IT professionals have technical knowledge that should be considered when applying the chosen framework so that it is achievable and supportable.

Create policy

Key questions:

·        What are the areas where the company wants to explicitly require desired behaviors?

·        What processes should have specific performance measures defined by policy?

·        What does legal representation say about the proposed policy?


·        Any non-compliance or regulatory issues where the company has fallen short of desired actions

·        Senior managements goals for corporate behavior with implications clearly understood


·        Documented and communicated policy

·        Mapping from policy to control objectives

·        Policy enacted into practice

Best practices:

·        For more information about policy creation and use, see the MOF Policy Service Management Function.

·        Audit provides evidence based evaluation and recommendations regarding policy enactment and the control environment.

Process 2: Assess, Monitor, and Control Risk

Risk management is IT’s attempt to address risk while achieving management objectives. IT organisations achieve long term success by managing risk through the effective use of internal controls.

Internal controls are specific activities performed by people or systems designed to ensure that business objectives are met. Careful design, documentation, and operation of controls are crucial at every level of the organisation. Being “in control” means the chances of experiencing adverse impacts from undesirable events are at acceptable levels and that the likelihood of achieving objectives is satisfactory. Internal control is intertwined with and directly affected by an organisation’s governance activities.

Figure 5 illustrates the activities of risk management. It is important to understand that the process of managing each risk goes through all of these activities at least once and often cycles through numerous times. Because each risk has its own timeline, multiple risks might be in each stage at any given point.


Figure 5. The generalised cycle of assessing, monitoring, and controlling risk

Activities: Assess, Monitor, and Control Risk

The process of identifying risks and controls touches all aspects of the enterprise. It provides a foundation for the enterprise’s compliance efforts by clearly laying out the relationship among goals, factors that might prevent achieving the goals, and how those potential events are being addressed.

Each phase of the IT service lifecycle has an associated set of characteristic risks and corresponding activities to manage them:

  • In the Plan Phase, the focus is on risks related to specific strategies, information architectures, and risk across the IT portfolio.
  • The Deliver Phase evaluates risk from a project-oriented perspective, which is more targeted and time-limited.
  • The Operate Phase focuses on day-to-day activities and the risks that might affect reliable operations.
  • Finally, the Manage Layer deals with risk management from both a general and focused point of view: general in terms of governance structures, organisational coordination, decision making, and communication plans; focused in terms of managing change and configuration and the risks that come from modifying elements of the IT service environment as well as processes and resources that are part of that environment.

Categories of risk arise throughout the various phases of the service lifecycle. They involve financial, operational, reputational, market share, revenue, and regulatory risks, as well as other risks that are more specific to a particular organisation’s industry (for example, healthcare) or a presently occurring activity (such as a merger or acquisition).

By approaching risk management in a way that encourages thinking about the potential consequences of activities, evaluating their impact, and then taking a very explicit approach to addressing these risks, IT gains a considerable advantage. An organisation cannot intelligently address risk without both IT and the business sitting down together and defining risk tolerances and control objectives. Since the consequences of risk are evaluated in terms of reaching business goals, this helps integrate IT into business discussions and trade-offs and eliminates after the fact finger-pointing by virtue of the transparency involved in risk management.

This process includes the following activities:

  • Improving processes to address management objectives
  • Identifying risk
  • Analysing and prioritising risks
  • Identifying controls
  • Analysing controls
  • Planning and scheduling implementation
  • Tracking and reporting risks and controls
  • Operating controls
  • Learning from prior efforts and updating knowledge base

Table 6. Activities and Considerations for Assessing, Monitoring, and Controlling Risks

Activities Considerations
Assumptions ·        Risk management extends beyond security and privacy of data to a variety of risks that might affect the fulfillment of management’s objectives (including, among others: financial risk, risk of not fulfilling performance commitments, project risk, and reputational risk).
Address management objectives

Key questions:

·        What could happen that might affect achieving management’s goals and objectives?

·        What can be done to maximise the ability to meet objectives?

·        What are the risk-sensitive business processes that use IT systems?

·        What is the risk tolerance profile that best describes this company?


·        Strategic plan and resulting management objectives
(see the Business/IT Alignment SMF)

·        Regulatory and business conditions

·        Results (success and failure) of risk management to date


·        The organisation’s risk tolerance and approach to risk management

Best practices:

·        Risk management occurs many times during each phase of the IT service lifecycle. Understanding the risks relative to the goals of a particular phase will establish the risk domain.

·        That risk domain, combined with the unique risk tolerance of the company, will guide the approach to managing risks in that phase of the IT service lifecycle.

·        Risk tolerance is fluid and changes with opportunities and potential rewards, as well as incidents and potential penalties.

Identify risk

Key questions:

·        How are business services classified in terms of business criticality and the nature of data used in those services?

·        What is the history of change for the systems that make up each service? What upcoming changes are planned?

·        What is the complexity of the end-to-end system (does it cross multiple interfaces, extend to business partner systems, rely on data or services outside of company control)?


·        Mission of the company (and business units, where appropriate)

·        Risk tolerance and approach to risk management

·        IT portfolio (see the Business/IT Alignment SMF)

·        IT service maps (see the Business/IT Alignment SMF)

·        Incident reports, security events

·        Regulatory environment, non-compliance events


·        IT services risk characterisation report

Best practices:

·        Ensure that senior management is committed to the risk management process.

·        Ensure that participants in risk management have expertise in IT systems and business processes and an understanding of the potential impact to the business.

·        Review critical business services; evaluate each for standard risks and brainstorming for possible risks. Do this with a team that represents differing perspectives and areas of expertise.

·        Risk identification should also include notification to the risk stakeholder. Risk identification should be repeated frequently.

·        For more information on risk identification, see nistspecialpublication800-30r1

Analyse and prioritise risks

Key questions:

·        What impacts will risks and threats (situations or states that might cause harm) have on the organisation as a whole?

·        What are the likely impacts of threats to specific management objectives and associated business processes?

·        Can threats and impacts be broken down into those that could harm IT service performance but not compromise data?

·        What are the known vulnerabilities in the systems that make up IT services?

·        What are the threats to individual systems?


·        IT services risk characterisation

·        Threats

·        Vulnerabilities


·        Threat and vulnerability listings with prioritised risk ratings

Best practices:

·        Transform the estimates or data about specific risks that developed during risk identification into a form that can be used to make decisions about prioritisation.

·        Measure risk in terms of likelihood multiplied by impact and use the resulting scores to help prioritise.

·        Prioritise risks so that the most important ones can be addressed with sufficient resources.

·        Brainstorm for possible unsuspected risks. If some are identified, try to assess whether their potential impact (even if there is a low probability) still merits attention.

Identify controls

Key questions:

·        Based on threats and vulnerabilities for the company, what are the best control points and activities to mitigate those risks?

·        What data confidentiality, integrity, and access vulnerabilities should be addressed with explicit controls?


·        Threat and vulnerability listings with ratings

·        List of primary controls and compensating controls (which usually operate to detect issues after the fact )

·        Interviews with personnel responsible for business objectives and associated processes

·        Interviews with personnel in IT control areas

·        Issues and audit reports


·        Plan that maps controls to IT services and to business processes

Best practice:

·        Controls work together to create a control environment. When evaluating a single control, keep in mind the constellation of related controls, and consider how one control might compensate for another.

Analyse controls

Key questions:

·        What business objectives are being addressed by the identified controls?

·        What evidence demonstrates that the controls are functioning as desired?

·        What does audit require in terms of the type of evidence and its retention?


·        Audit reports

·        List of existing controls

·        Interviews with personnel in each control area

·        Plan that maps controls to IT services and to business processes


·        Control development plan

Best practices:

·        Audit reports provide an independent analysis of controls and usually have recommendations for improving the control environment.

·        A priority focus should be on fundamental controls that must function correctly so that other controls can depend on them (for example, controls for data access).

·        Design controls with evidence collection processes built in to make auditing and other control testing more efficient and effective. Control tests require proof (in the form of evidence) that the control is in place and functions as expected.

Plan and schedule implementation

Key questions:

·        Of the list of planned controls, which controls are not in place?

·        What is the development priority for controls that are not in place?


·        Threat and vulnerability listings with prioritised risk ratings

·        Control development plan


·        Risk and control development plan

·        Identified mitigations

·        Schedule of control-related change requests

Best practices:

·        Use the information obtained from risk analysis to help formulate strategies, plans, change requests, and actions.

·        Use change management processes to ensure that risk plans are approved and incorporated into the standard day-to-day processes and infrastructure.

Track creation; deploy controls

Key question:

·        What is the status of risks and controls?


·        IT service monitoring

·        Evidence retained from control activity

·        Status reports for control development projects


·        Risk reporting

·        Control development status reporting

Best practices:

·        Monitor the status of specific risks and the progress in their respective action plans.

·        Monitor the probability, impact, exposure, and other measures of risk for changes that could alter priority or risk plans (and ultimately the availability of the related IT service).

·        Make sure that the operations staff, service manager, and other stakeholders are aware of the status of top risks and the plans to manage them.

Operate controls

Key questions:

·        Are controls operating as expected?

·        Are risk tolerance levels and action triggers operating as required?

·        Are risk management action plans tracking as expected?


·        Risk reporting

·        Control development status reporting

·        SLA compliance reporting


·        Control operations reporting

·        Service level impacts

Best practices:

·        Execute risk action plans and evaluate their status through risk reporting.

·        Initiate change control requests when changes in risk status or risk plans could affect the availability of the service or SLA.

·        Collect and store evidence that controls are operating. This may take many forms (for example, system logs, documentation that is under change control, or sign-offs from authorised individuals).

·        Notify stakeholders of changes to services that address risk issues.

Learn from prior efforts and update knowledge base

Key questions:

·        Is management satisfied with the way controls deal with known risks?

·        Are risk tolerance levels set appropriately and expected actions triggered when conditions exceed acceptable levels?

·        Have new risks been identified?

·        Do audits indicate an effective control environment?


·        Audit of normal operations

·        Control operations reporting

·        Cost/benefit analysis of controls


·        Risk reporting on at least a monthly basis

·        Risk dashboard if available

·        Up-to-date risk knowledge base

·        Results reported to the Operational Health MR

Best practices:

·        The application of controls is a cost/benefit exercise; it should reflect management’s assessment of the business objective, the identified risk, and the benefit of developing and applying the control. The cost/benefit analysis should reflect the willingness of the company to assume risk, acknowledging that it exists, but its potential impact will be allowed to happen(as opposed to mitigating the risk, which involves attempting to reduce the impact or probability of the risk).

·        Risk learning formalises the lessons learned and uses tools to capture, categorise, and index that knowledge in a reusable form that can be shared with others in the organisation.

Process 3: Comply with Directives

Compliance is an application of risk management that ensures IT’s conformance with company policies, governmental regulations, and industry-specific laws. Some of the better-known compliance laws and their functions are included in the following table.

Table 7. Examples of Compliance Laws and Their Functions

Compliance law Function
The EU GDPR To protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.
Data Protection Act A UK Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system.
BASEL II International standard for banks

Increasingly, compliance activities require greater diligence and responsibility from IT pros. For example, many large corporations have significantly automated their financial management systems, which has resulted in the automation of internal business controls. These application controls are part of the compliance environment. When they are automated, they become part of the IT environment. IT pros must also be aware of general computing controls (for example, the separation of development and test environments), which are defined as those processes, activities, and configurations that are applied across multiple infrastructure components in order to ensure that technology performs as expected.

Evidence and Assurance Reporting

Assurance is the process of providing executive management with an indication of how well its goals and objectives are being met (complied with) by the organisation. Assurance reports are the responsibility of the auditing department, which provides an impartial assessment. This reporting is based on data that demonstrates the effect of controls put in place to achieve results in an intended manner. Evidence is the term used to describe this data, and testing is the process of exercising the controls to generate evidence. It may also refer to evaluating the evidence generated.

This can be confusing to IT pros who usually use the term “testing” to refer to the quality assurance (QA) processes used in software development and system deployment. Saving the actual data used to perform testing (the evidence) is not a common part of the IT pro’s testing methodology. However, auditors want to see evidence collected over a sufficiently long period of time to be able to form an opinion about the effectiveness and efficiency of controls. Another point of confusion between assurance testing and the IT pro’s use of the term “testing” is that assurance testing usually focuses on controls and processes in the production environment. It is focused on what is actually happening in the real world experience of the organisation, not in the isolated test environment, where functional issues can be isolated and resolved.

Finally, assurance reporting can be obtained from several sources (for example, compliance audits, security audits, or auditing related to contractual obligations), and IT pros may find that they are asked for very similar evidence numerous times. By becoming aware of assurance activities in their organisation, exploring retention requirements for evidence, and understanding the use of the required evidence, IT pros can improve efficiency and reduce the disruptive aspects of the assurance process.


Figure 6. Comply with directives

Activities: Comply with Directives

The compliance process is iterative. IT must continually monitor the environment, adapt to regulatory changes, and respond to management directives. IT pros should be careful to look to company policy for directives, rather than interpreting regulations without input from other areas of the business. The regulations themselves should be evaluated by various groups within the company (for example, legal, HR, and finance), who will then determine the company’s stance regarding any particular regulation.

The IT pro should actively bring IT relevant regulations to the attention of the business. These regulations can then be evaluated, the company can determine its position relative to each, and appropriate policies and directives can be constructed to guide decisions and activities. With that pathway established, the auditor will be able to take management objectives, now in the form of directives, and audit compliance to those directives.

This process includes the following activities:

  • Identifying policies, laws, regulations, and contracts
  • Selecting policies, laws, regulations, and contracts
  • Assessing current compliance state
  • Setting future compliance state
  • Creating compliance plan
  • Maintaining compliance
  • Auditing compliance

Table 8. Activities and Considerations for Complying with Directives

Activities Considerations

·        The organisation wants to make sure that directives are followed, whether or not they are subject to formal requirements for governance.

·        IT may have services that carry performance requirements with penalties for non-compliance.

·        The organisation has been subject to audit findings that indicate its control environment is ineffective or inefficient or that have resulted in the company being out of compliance.

Identify policies, laws, regulations, and contracts

Key questions:

·        What laws and regulations (local, national, or global) apply to the company?

·        What governing entities apply to the company’s activities?

·        What objectives require policy to demonstrate management’s intent and to make sure desired activity can be enforced?

·        What IT service commitments carry performance compliance requirements?


·        Worldwide, national, and local laws and regulations

·        Governing entity requirements

·        Management directives

·        Legal’s review of compliance needs

·        Performance requirements from IT service level contracts


·        Identified laws and regulations and the organisation’s directives for compliance

·        Identified compliance directives that support the organisation’s intent to deliver against strategy

Best practices:

·        Compliance has multiple facets, but primary considerations relate to compliance to management objectives, company directives, and legal requirements. Also, services should be performing in a manner that complies with agreements and contracts. Monitoring and metrics may provide information for both areas of compliance.

Select policies, laws, regulations, and contracts

Key questions:

·        Has the business reviewed and determined what laws and regulations the company is clearly subject to?

·        Is there a control framework that effectively covers the laws and regulations that the business is subject to?


·        Reviewed list of laws and regulations and interpretations

·        Risk tolerance of the company

·        Past audit reports

·        Potential control objectives from relevant frameworks


·        List of laws, regulations, and performance and control objectives to be addressed by company policy

Best practices:

·        An organisation’s culture and the way it works to achieve strategic goals will greatly affect the areas selected for compliance activities. Balancing the requirements for compliance and culture requires that the decisions are made openly with appropriate stakeholders.

·        Include legal and audit professionals in the discussion.

Assess current compliance state

Key questions:

·        What is the current state of compliance to relevant laws, regulations, and directives?

·        What is the state of compliance to performance objectives?

·        What is the history of non-compliance incidents and is there an identifiable trend?


·        Risk assessments for systems and business processes (see “Process 2: Assess, Monitor, and Control Risk”)

·        Existing policies and directives

·        Compliance reporting, whistle blower activity

·        Performance compliance for IT service contracts and agreements


·        State of compliance health (report or dashboard)

Best practice:

·        Compliance health can be volatile. One goal of a vigorous compliance program is to decrease volatility through active monitoring of controls and the detection of trends. A compliance dashboard that is frequently refreshed with recent monitoring data will keep senior managers informed, but not burdened with compliance reports. A dashboard should support further investigation into details of compliance incidents.

Set future compliance state

Key questions:

·        In what areas are there recurring incidents of non-compliance?

·        What compliance risks are outside of the company’s risk tolerance?

·        Have penalties been incurred for IT services that failed to comply with performance requirements?


·        Current state of compliance

·        Changes in IT portfolio and service catalogue

·        Changes in regulatory environment relevant to the business

·        Regulatory trends and legal rulings that may impact the business

·        Changes in business tolerance of risk

·        Potential modifications, reductions, and additions to control environment


·        Documented compliance roadmap for future state

Best practices:

·        Consider non-compliance from several perspectives: Are related procedures and guidance inappropriate or confusing? Is the policy too heavy handed and burdensome, which could result in a conflict between performance and compliance? Is training adequate?

·        Consult with legal counsel before finalising policy based on regulation. It is important to have an interpretation of how the company should comply with regulations that includes a broader understanding of legal precedent and maturity of regulations.

Create compliance plan

Key questions:

·        In what ways will the compliant company (the “to be” state) differ from the current company?

·        What is not working effectively in the current compliance program?

·        What resource requirements, training, and changes to policies, processes, and systems will be required to become compliant?

·        Do IT service contracts with performance clauses need to be addressed?


·        Documented compliance roadmap for future state

·        Senior management review of the “to be” state, strategic goals, and business objectives

·        Agreement that the identified “to be” compliant company and strategic goals are compatible

·        Project plans for changing identified IT services to achieve better performance compliance


·        Proposed compliance plan project approved by all stakeholders

Best practice:

·        Pay attention to the culture of compliance in the company. If the company is in a heavily regulated industry, there is likely an expectation that compliance requirements are part and parcel of day-to-day activity. On the other hand, if the industry is one of fast-paced change that is driven by growth, compliance might be seen as a burden or a “tax” to be avoided. Future compliance plans need to take this into account and move the compliance culture in the desired direction based on its current character.

Maintain compliance

Key questions:

·        What non-compliance issues are happening?

·        Are there ways to reduce the costs of compliance without increasing risk?


·        Compliance plan

·        Service management and control reporting
(see the Service Monitoring and Control SMF)

·        Audit reports, control monitoring

·        Risk and compliance tolerance levels


·        Compliance reporting

·        Compliance dashboard updates

Best practices:

·        Compliance issues often contain sensitive information. Certain individuals should see certain parts of this information; other individuals other information. Multiple views of the information along with role-based access to reporting and/or dashboards will help address privacy concerns.

·        The compliance environment is dynamic—it requires frequent reviews of applicable controls. These control reviews should involve a cost/benefit analysis that includes risk dimensions as well as operating effectiveness.

Audit compliance

Key questions:

·        What is changing in terms of relevant laws and regulations or new requirements the company may become subject to?

·        Is the current state of compliance acceptable to senior management?

·        Is sufficient evidence of control activity, testing, and maintaining control compliance kept current and appropriately stored?


·        Legal reviews and updates to regulatory interpretations

·        Auditing of normal operations

·        Reporting and debriefing interviews with senior managers regarding the state of compliance


·        Compliance audit results

·        Updated compliance plan

Best practices:

·        Regulations may have clear consequences for non-compliance, such as fines and/or prison sentences, but often have very general requirements. Legal and audit representatives can help clarify what actually needs to happen for IT to be compliant.

·        Make sure that appropriate and sufficient evidence of control activity is stored for later evaluation. Work with internal and external auditors to understand the requirements for evidence gathering and storage, and initiate that conversation months before any planned audit activity in that area.

·        Ensure the use of service level agreements (SLAs) to help define quality of IT services and establish guidelines for performance and requirements for compliance. For more information about SLAs, see the Business /IT Alignment SMF.


The Governance, Risk, and Compliance SMF provides guidance for integrating GRC activities in the context of processes and activities throughout the IT service lifecycle. This integration makes use of risk management and internal controls present in every SMF to provide consistent ways to make decisions and manage IT activities.

The major processes described in the GRC SMF are:

  • Establishing IT governance.
  • Assessing, monitoring, and controlling risk.
  • Complying with directives.
How can I implement ITIL IQ®?

Hopefully by now you’ll begin to understand the value that the Microsoft Operations Framework can bring to your business. The goals, outcomes and measures outlined above require many activities and considerations which form part of our day to day activities at First Solution. In fact, we’re experts in MOF and have even developed a unique ITIL IQ® process that benchmarks a business’s current state, identifies their desired state and provides an action plan (called a Service Delivery Plan) that helps organisations of all sises achieve their desired business outcomes. Most importantly, our unique ITIL IQ® process begins with a Proactive Services Maturity Review (PSMR) which identifies a score (out of 100) that clearly communicates the current state of your businesses IT operational maturity. Armed with your ITIL IQ® score, a non-IT professional such as a finance or procurement professional can concisely present to the IT Executive Officer the businesses current state, desired state, and ITIL IQ® score with an action plan to improve the ITIL IQ® score and thereby ensure that IT’s goals are aligned with the goals of the business and that both are progressing together. Once the IT Executive Officer has bought into the MOF concept we can help to develop an IT service strategy, IT service map, IT service portfolio and Service level agreements.

How can I manage governance, risk and compliance?

Simply get in touch to arrange a free ITIL IQ® survey and one of our MOF experts will conduct an interview with the IT Manager or IT Executive Officer within your business and provide an ITIL IQ® score with which you can measure the performance of your IT function. Once you know your ITIL IQ® score we can provide a Service Delivery Plan to help you improve it each month and measure and report progress back to you during a Monthly Service Review. And there we have it, an ITIL based solution to simply identify and measure the performance of your IT function. So, are you ready to manage governance, risk and compliance?


The Microsoft Operations Framework 4.0 is provided with permission from Microsoft Corporation. 

Leave a reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.