Congratulations. If you are reading this article, you have either decided that your company needs to create a GRC strategy to improve your overall security and decrease your risks, or you are interested in learning more about how implementing a GRC strategy can improve your security posture. This is an important step in keeping your customers, your employees, and your company better protected from cybercrime and data breaches while remaining in compliance with industry regulations.
However, it is important to note that a GRC framework is not a one-size-fits-all strategy. You may even find that the balance of governance, risk and compliance in your strategy will not be equal.
“While the Governance, Risk management and Compliance in GRC are interrelated, any program developed must have a focus toward matching the organization’s objectives,” said Ignacio Martinez, Smartsheet's VP of Risk and Compliance. “While the reality is that all three will be improved by developing a program, an organization should not lose sight of the original reason they began the GRC journey.”
Martinez recommended you ask the following questions when considering your GRC strategy: Are we implementing GRC to improve our compliance posture? Or is the primary driver to better assess and manage risk?
The most successful GRC will permeate the entire organization, from the C-suite level to entry-level staff, filtering through every business unit and affecting every employee.
“When implemented this way, a compliance program becomes operationalized, and an integral part of the way we do business every day. Appropriately operationalized compliance can also be a way to drive out waste and increase efficiency across the business,” said Patrick Taylor, CEO with Oversight Systems.
Who’s in Charge?
Someone must take charge in developing and managing the GRC strategy. Who that will be will depend on the organization and what the GRC’s role will be. Whoever is driving the need for GRC – and this could be multiple units within the organization – should be the ones to take the lead. And if there is more than one group pushing for GRC, framework building should be a team effort.
Yet, Taylor pointed out, you have to have leadership on board with GRC implementation, so you could have a variety of the organization’s decision makers involved. For example, Taylor said, in most organizations, the Board of Directors and CEO provide strategic oversight and decision-making for GRC. If there is a Chief Compliance Officer (CCO), that person would be responsible for looking across the business horizon for threats and opportunities and then coming up with compliance strategies and tactics to address them. On the operational side of the business, it’s the role of CFOs, CIOs and VPs of Human Resources to ensure that day-to-day processes, technology and employee behavior comply with the policies, procedures, best practices and regulatory requirements under which the organization operates. You will probably want to bring someone from your legal team on board, as well.
Or you may want to institute a Compliance Oversight Review Committee, which sits between the CCO and the Board’s compliance committee. “It brings together senior managers representing all the stakeholder departments needed to make decisions about high-risk issues. Their purpose is to make sure nothing slips through the cracks that might expose the company to unwanted risk,” said Taylor.
What You Need to Get Started with a GRC Strategy
The first step in creating a GRC strategy is understanding what you want from it. “If your GRC program responds frantically to incidents, audit findings, regulatory changes, and partner demands, then most likely you’re simply transmitting that same chaos to the business,” Renee Murphy, principal analyst at Forrester, stated in a white paper.
It’s not going to be an easy process, Murphy added. You need to have a firm understanding of your end goals, not just your current needs. You need to know where your risk categories lie within your business model. According to Murphy, creating your GRC plan must include the following elements:
- An executive summary that acts as your elevator pitch, that one- or two-line description that outlines the priorities and goals, as well as the actions necessary, of your GRC plan.
- A mission statement that is in line with your corporate mission statement.
- Know what’s happening in your business now, figure out how to address that internal chaos and create goals and priorities from that point.
- A chain of command to implement the strategy.
- Expected outcomes. If you don’t know where you want to go, you can’t get there. Simple as that
David Lello, director of Burning Tree, recommended the following steps in implementing an automated GRC strategy:
- Define what matters.
- Identify your risks.
- Design a plan.
- Start small, focusing on key processes.
- Create a system for continuous monitoring.
To put these steps in motion, you need the right tools or solution. “An IT GRC solution enables you to create and coordinate policies and controls and map them to regulatory and internal compliance requirements. These solutions, which are usually cloud-based, introduce automation for many processes, which increases efficiency and reduces complexity,” according to CIO.
However, as Martinez explained, the list of available GRC tools and technologies that claim they can help with compliance is long.
“The most frequent mistake I’ve seen is that companies choose a tool to drive the implementation of a GRC program and don't get the results they want,” he said. “Too often, the focus is on the tool and its workflows, as opposed to the GRC program content itself.”
The solution may be found in artificial intelligence and machine learning technologies. “We are seeing elements of artificial intelligence and machine learning make their way into elements of the GRC world, such as real-time refinement of risk assessments to increase precision based on historical or actual values over time,” said Martinez.
Taylor agreed, adding, “these technologies are far more discerning about identifying questionable behavior and accurately interpreting the gray areas of compliance and risk management. For example, AI-based analytics can help organizations comply with the FCPA. They can scan and analyze an extremely large data set and determine what is normal, customary, and therefore legal.”
Compared to the old-fashioned check-the-box programs with fraud hotlines, documentation and training programs, AI and ML can scan and analyze across dozens, hundreds, thousands or even millions of similar transactions to detect excessive entertainment of specific attendees or other unusual patterns found across travel and expense, accounts payable, purchase cards, and other types of corporate spend.
“However, it’s important to note that monitoring and detecting isn’t enough. The best AI solutions also help you drive out waste, errors, fraud and non-compliance by influencing future employee behavior,” Taylor added. “Most importantly, these solutions become a catalyst for building a stronger, resilient corporate culture of compliance.”
Your approach to your GRC strategy will be unique to your needs. Whatever your GRC covers and how it fits into your overall business solution should help you meet your industry compliance standards while protecting corporate data.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba