Book Review: Governance, Risk Management and Compliance

Governance, Risk Management and Compliance
Author: Richard M. Steinberg | Reviewed by Maria Patricia Prandini, CISA, CRISC
Date Published: 22 October 2015

Governance, Risk Management and ComplianceGovernance, Risk Management and Compliance: It Can’t Happen to Us—Avoiding Corporate Disaster While Driving Success invites readers to think about using governance to promote the business. Those who peruse this book can gain a clear understanding of how the establishment of the right processes, organization and technologies can guarantee the accomplishment of corporate governance goals.

Over the last 20 years, there has been an increase in the negative perception of once highly respected companies. In Governance, Risk Management and Compliance, author Richard M. Steinberg describes, in detail, the cases of several organizations that failed to develop a corporate culture based on integrity and ethical values and, in contrast, companies that built success through sound perspectives on these issues. Among the factors leading to success, the sound use of technology is considered central to the company’s achievement of corporate governance.

Organized in 18 chapters, the book starts with a very clear explanation of what the discipline of governance, risk management and compliance (GRC) is and why it matters. The author shows how these related, but somewhat disparate concepts have a positive impact on the achievement of corporate goals and can drive companies to success when properly implemented.

The following chapters present the key elements that drive GRC. Culture, cost-effective compliance programs, ethics, risk management and other issues are described in detail. The book also provides many examples of companies that suffered and companies that succeeded with GRC programs to help readers understand the best ways to implement the GRC efforts they need. Other important issues such as the role of the boards of directors (BoD) and chief executive officers (CEOs), performance measurement and reporting, and internal control are also explained in this book.

Finally, the concluding chapter discusses the future of GRC and presents new models for board governance, the components of a healthy governance environment and how risk management will evolve in coming years.

Although not IT-centered, this book will be of interest to any professional looking for a better understanding of the complex subject of GRC. In fact, those interested in IT governance and management will surely gain valuable insights into the role of GRC implementation in achieving corporate goals, avoiding corporate disaster and driving organizations to success. 

Reviewed by Maria Patricia Prandini, CISA, CRISC, who has a long career as a public official in different positions related to information technology in the Argentine Government. Prandini was involved in the development of the National PKI and the foundation of ARCERT, the first governmental computer security incident response team (CSIRT) in Argentina. She is the immediate past president of the ISACA Buenos Aires (Argentina) Chapter.