Experience: Data and Information Quality Challenges in Governance, Risk, and Compliance Management

Governance, risk, and compliance (GRC) managers often struggle to document the current state of their organizations. This is due to the complexity of their IS landscape, the complex regulatory and organizational environment, and the frequent changes to both. GRC tools seek to support them by integrating existing information sources. However, a comprehensive analysis of how the data is managed in such tools, as well as the impact of data quality, is still missing. To build a basis of empirical data, we conducted a series of interviews with information security managers responsible for GRC management activities in their organizations. The results of a qualitative content analysis of these interviews suggest that decision makers largely depend on high-quality documentation but struggle to maintain their documentation at the required level for long periods of time. This work discusses factors affecting the quality of GRC data and information and provides insights into approaches implemented by organizations to analyze, improve, and maintain the quality of their GRC data and information.