An organization should have a structured approach to governing, defining, designing, implementing and managing information technology resources so that it can effectively support the program. In this context, technology resources include:
> operating systems
> middleware
> development tools and environments
> applications and application environments

*** NOTE *** OCEG's Technology Council will define these principles and practices in 2008. An initial draft is presented here.

Information technology (technology) is a critical success factor driving GRC performance. Technology organizations and the solutions that they implement or manage are vital to effectively governing an organization.  The organizations themselves are in a unique position as they play a dual role in GRC:

1. In one role technology has to meet compliance requirements that are specific to the technology environment.
2. In the other role technology is used to automate and drive efficiencies in GRC performance for requirements falling outside of technology.

What this means is that technology organizations are in key positions with respect to selecting and implementing effective GRC central nervous systems. However, much like the processes implemented to address risk or compliance, technology itself is in a state of evolution in the way it addresses risk and compliance:

> Yesterday, technology was focused on fire-fighting and reacting to risk and compliance issues.
> Today, technology is in a state of proactively managing risk and compliance within the technology department.
> Tomorrow, technology will likely move beyond proactively managing its own risk and compliance to a point where it can be used in business to build a GRC central nervous system that monitors risk and compliance thresholds across the organization in real time. Technology can become the foundation for building a sustainable GRC program within an organization.

In order to provide this sustainability, it is necessary to keep the following principles in mind:

1. Technology is relevant to the oversight of GRC:
> Business depends on technology as the foundation for communication and business processes; therefore boards must be technology-informed, ensure implementation of reliable systems and be competent in their use in order to fulfill their fiduciary duties.
> With the pace of new mandates, legal requirements and risk management expectations in a global economy, it is mandatory that government be technology-informed and competent in order to drive mandates with reasonable prospects of efficient implementation.

2. Technology is an enabler for sustainable GRC:
> GRC technology is a critical enabler for the implementation of GRC processes spanning multiple organizations (such as those in a supply chain) and requiring a distributed, comprehensive view of the risk/compliance ecosystems within and outside the organization. (suppliers, partners, customers, governments, etc.)
> Beyond simply facilitating transactions, technology should focus on information availability and quality (enterprise and operational)
> GRC technology spending should take into account economies of scale, risk mitigation and ROI.

3. Technology provides the architecture for efficient GRC:
> A comprehensive technology strategy and roadmap is essential to reduce unnecessary complexity
> Technology's role in the enterprise should generally be transparent if the goals of enterprise GRC are to be met (this requires careful definition of the information to be produced in support of effective corporate governance)
> Technology organizations should, whenever possible, leverage existing investments across GRC (compose vs. code)

Principles
> Enables program
> Integrated with technology system and organizational objectives in place
> Transparent