In fact, the report points out that the most mature firms choose components from a tightly-focused group of frameworks from which to construct their own frameworks. And, unlike less-mature companies, the frameworks are evenly split between those for IT operations, assurance, audit, compliance and external vendors, and those used by senior IT managers to manage the value delivered by IT. Companies lower on the scale tend to concentrate on the operational frameworks.

The most mature companies also altered some business practices, such as:

• Greater senior management involvement in GRC
• Involving the audit committee in GRC
• IT, Legal, audit and Finance all providing leadership
• Employee training in GRC, and fostering a culture of compliance
• Making improvements to IT risk assessments, data protection, IT audit, risk and compliance practices and capabilities
• Adjusting to IT spending to support necessary capabilities
• Implementing a continuous quality improvement program for IT GRC
• Developing an integrated IT GRC program

But that's not all. Mature organizations also adjusted IT procedures and practices to make them consistent and repeatable. Ten key practices included:

• Access to sensitive data and protected data on PCs and laptops is segmented and limited.
• Meaningful and measurable control objectives and policies based on business risk are employed.
• IT policies, process frameworks and control objectives (KPIs, for example) are mapped to one another.
• Common IT procedures are employed for audit.
• Three times more controls are employed than objectives.
• Consistent configurations and common IT procedures are employed.
• Automation is widely employed.
• 50 percent of all controls are technical controls, and 100 percent of these are automated.
• Specific IT activities, such as collection of audit-related data, are automated.
• Policy-in and audit-out for technical controls is managed.
• IT change control and unauthorized change prevention are implemented.
• Monitoring, measurement and reporting occur frequently; from continuously to at least once a month (the average was 22 times a year).

Getting to that coveted state of maturity, with its attendant benefits, does involve some work, and companies lower on the scale are best advised to take the changes in bite-sized pieces to increase the likelihood of success. The report recommended a procedure for incrementally improving IT GRC practices that will probably be familiar to many:

• Assess the current maturity state of the organization
• Determine the business and financial outcomes from the current maturity profile
• Identify desired maturity, agility, quality, financial and compliance objectives
• Identify the practices and capabilities needed to achieve desired objectives
• Qualify and quantify expected costs, savings and financial risks
• Implement the quality improvements to achieve objectives
• Measure the results and repeat the steps.

In other words, follow the processes outlined in the Deming and Six Sigma continuous quality improvement cycles.

So, you ask, how do you figure out where you sit on the maturity scale? IT PCG offers a useful tool: an interactive application that allows you to answer some questions and, based on those answers, see your score. A little judicious fiddling can then help you determine the potential effect on your maturity level of various adjustments to policies and procedures, and find the ones that offer the biggest bang for the buck.

Once you know where you are, you can formulate plans to get to the magical point on the maturity scale where the CFO actually smiles.