Today I would like to kick-off on a slightly scholarly note by introducing the concept of transaction costs. The theory was first developed by R.H. Coase in his 1937 paper The Nature of the Firm and further elaborated by O.E. Williamson in The Economics of Organization: The Transaction Cost Approach. Both ended up winning the Nobel Prize in Economics for their contributions in analysing and describing the cost of participating in a market. I would like to apply this concept to using software and discuss some of the transaction costs that may prevent a person from using an IT system. When defining the concept, the economists were focussed on analysing transaction costs such as taxes or price controls. If you consider that economic behaviour is, at its core, the constant decision making of the actors in an economic system guided by the scarcity of certain resources (e.g. food, money, time, attention) and the corresponding incentives of controlling a chunk of said resources (e.g. financial gain, increase in autonomy, less pain), this concept can easily be applied to users of software. Anything that hinders or inconveniences the use of an IT service shall be considered a transaction cost for this exercise.
In our lives before Alyne, we spent our days designing, implementing and reviewing security, governance and risk management solutions for companies of many sizes and industries across many different countries. We recently got to comparing notes on organisations that were highly successful in this space and others that we felt should have accomplished more and of course the companies that failed miserably.
As explained in the previous article, GRC typically is a practice of tying together governance, risk, and compliance activities in an integrated program supported by organization, processes, and tools. In some form or other, organisations of all shapes and sizes are already engaged in GRC activities. However, depending on their industry and overall size, they might have different stages of advancement.
In today’s business world depending on the industry, you will come into contact more and more with the term GRC or “Governance Risk Compliance”. In certain circles this has come to be almost a kind of new management philosophy, that fills the whole working day of entire departments.
We will launch an article series on this blog examining the various facets of IT security, Risk Management practices and the governance thereof and how they are currently applied within various organisations. During this examination, we hope that the esteemed reader will be able to recognise cases, pitfalls, and successes from their own areas of influence and take some value out of this content, to apply to their future endeavors in this topic.