IT GRC is a massive undertaking; it cannot succeed unless the people who are expected to use the tools effectively are intimately involved in the process. Don’t neglect the stakeholders: IT operations and security, enterprise and operational risk, business continuity and disaster recovery, IT audit, general audit, and corporate compliance. Organizations that already have a strong, if inefficient, GRC program in place are most likely to benefit from it, says Forrester’s blog post Avoid the ROI discussion if possible (but if you can’t)”]
Source: https://www.csoonline.com/article/2127516/dos-and-don-ts-for-it-grc-success.html