IT GRC and Risk Management

For success of  GRC in any enterprise, it should be a process driven by management i.e., a top-down approach. GRC would enable enterprises to have a consistent, consolidating data which in-turn can serve audit, risk management and control and compliance purposes.Good governance needs Risk Management. Assessing risk in IT is at the heart of enterprise GRC and it can be performed as a qualitative or quantitative approach. Data collection process for arriving at risk can be from many means such as offline interviews, web questionnaires, email, mobile or any other devices. But automation can only be achieved from technology resources. Risk calculation is an interesting part in risk management. Some input factors required as for arriving at risk are risk with respect to Policy adherence, established controls for meeting compliance, handling incidents and events, mitigating risk with remediation on time. NIST (800-30) and ISO Guide 73 provide enough guidance on how the risk assessment should be performed. There are few products in market which have the capability to automate data collection as evidence technology sources and provide risk analysis reports. Risk is closely related business and specific to each organization. How much of automation is really possible in Risk Management, will it be really usefulness for enterprises are open questions i am trying to find answers now.