Governance, risk and compliance in today's world is becoming increasingly integrated across a wide and diverse set of use cases, ranging from traditional risk management to cybersecurity, third-party management, business resilience, environmental health and safety and regulatory compliance. Fundamental to success in integrated GRC is building an information architecture that supports not only day-to-day operational processes, but also yields the metrics and analytics your organization must leverage to make decisions that improve business performance. The core objective of GRC information architecture is to establish the right framework for your organization based on tightly integrated foundational libraries of organizational elements, risks, controls, policies, vendors, products, assets, regulations, business requirements and best practice content.
Managing GRC information requires an information architecture and governance approach that aligns with your organization. This can be a unique challenge considering GRC information comes from a variety of sources – external feeds of best practice frameworks and regulations, threats and vulnerabilities, and internal sources such as directories, security and IT inventories and monitoring systems. Added to this are the subtleties of setting up a risk and control framework that functions at multiple levels – for example, enterprise risks at the top level reflecting key categories intended for Board and leadership review and discussion, operational risks at a middle level that describe specific business risks within various business units and say, IT or security components at a deeper level that hone in on cyber threats and vulnerabilities.
In addition, a GRC Information Architecture involves mappings to curated content that provides additional GRC intelligence – for example, mapping a section of a security policy to a regulation, as well as a common control from a source like the Unified Compliance Framework (UCF) to give context on how that policy supports requirements from say ISO, FISMA or NIST.
Setting up foundational GRC libraries requires thoughtful consideration to the use case itself, but also the larger picture of how these libraries will be built out over time to support other complementary and extended use cases that are on your GRC program roadmap.
What's the best practice on how to approach this? Common questions are:
In this slideshow, Yo Delmar, MetricStream, covers seven steps that you can take that will help you build out your GRC foundational libraries in a sequence that aligns not only with initiatives on your GRC roadmap, but provides you with a sustainable, ongoing governance process that allows your organization to continuously improve and enrich your GRC information architecture.
Recent years have seen a significant increase in the remote workforce as developments in technology have given employees the freedom to work anywhere, anytime. ... More >>
Establishing a digital governance plan can be a challenge, but with the right education and tools, the job can be made a lot simpler. ... More >>
The newfound emphasis on tools and service integration is shaping a new crop of industry professionals — the actual faces behind the IT infrastructure. ... More >>