Patterns for Understanding Control Requirements for Information Systems for Governance, Risk Management, and Compliance (GRC IS)

Document Type

Book Chapter

Publication Date





Companies face a plethora of regulations, standards, and best practice frameworks for governance, risk management and compliance. Information systems (IS) for planning, controlling, and reporting on the compliance with these requirements are known as governance, risk management, and compliance (GRC) IS. However, the challenge lies in mapping control requirements with functionality of GRC IS. In this paper, we review existing regulations and derive a framework for key control requirements. We develop a pattern-based approach that allows to systematically evaluate GRC IS based on the current regulatory situation. We evaluate the pattern catalogue by classifying an existing GRC portfolio. As implications for research, we associate existing control requirements and GRC information systems. As implications for practice, we provide decision support for the selection of GRC IS, depending on situational factors and the expected value proposition. In sum, our framework adds to the understanding of the effects of GRC IS.

Chapter of

Advanced Information Systems Engineering Workshops: CAiSE 2011 International Workshops, London, UK, June 20-24, 2011. Proceedings

Part of

Lecture Notes in Business Information Processing


Camille Salinesi
Oscar Pastor