What is federated GRC?
GRC, by definition, involves bringing together governance, risk and compliance disciplines from across an increasingly complex, extended enterprise with deep interlocks to customer and supplier eco-systems. While it’s not realistic to expect organizations to converge on a common set of GRC processes across this complex landscape, there is huge value in taking a federated approach to GRC that leverages the common risk elements from each business unit, IT and security teams, and management of third parties.
Building a federated GRC capability involves understanding the information architecture and processes that are critical to improving business performance, lowering risk exposure, and ensuring compliance with policies and regulations across the entire organization and its vendor communities. It’s important to engage stakeholders from different business units and collaboratively define what needs to be common, versus what can, or must remain federated, but rationalized through a roll-up in the context of the organization as a whole – its strategic objectives, its legal obligations and its risk appetite.
The degree of federation that makes sense will be very tightly tied to the operating model, and will reflect the reporting requirements and decision-making authority that resides within each unit. For example, a highly distributed organization with very distinct businesses may require a broader degree of federation than a global organization that is highly regulated, and therefore requires greater consistency and predictability across the business. Federation requires an understanding of your organization, its natural structure, and its objectives in order to strike the right balance.
Yo Delmar, vice president, MetricStream, has identified steps organizations can take to establish an integrated GRC and security approach using a “federated” model.
Click through for steps organizations can take to establish an integrated GRC and security approach using a “federated” model, as identified by Yo Delmar, vice president, MetricStream.
Ensuring the taxonomies of risk and compliance remain unique where they need to be, and centralized at the risk and control framework level.
Different business units and functions that support governance, risk, compliance and security have valid and varied approaches to risk management based on what they are trying to achieve and the business process itself. Many processes are quite mature, relatively efficient, based on international standards, and aligned with a well-established and finely tuned framework for decision-making.
Such examples include the processes that govern how new vendors are brought on board and risk-assessed, how credit card data is processed, or a public company’s SOX compliance program. Other processes may be less mature and based on new business or regulatory requirements, such as those around the company entering a new market in China, or launching a new product or service.
Ensuring the taxonomies of risk and compliance remain unique where they need to be, and centralized at the risk and control framework level.
When looking at how your organization manages risk, you can expect to find varied approaches, disciplines and perspectives. The project management office (PMO) will be looking at a different set of risk factors than operational risk, audit or security. Security application risk assessments may leverage network and application vulnerability information, as well as business continuity information on maximum downtime tolerances. The audit group may have a different method for assessing current and emerging risks, while ensuring controls are effective and properly designed. The operational risk group may look at risk in terms of its velocity, frequency and severity when assessing internal and external loss events. All of these approaches are valid.
The actual risk rating for a set of processes will likely vary based on the perspective of the assessor. Federation respects different perspectives through an appropriate weighting and roll up, and the rationalization of perspectives against a common risk and control framework. At its very core, a federated GRC program strives to achieve a common risk and control framework and issue and remediation process, while also supporting a wide variety of taxonomies, processes, metrics and workflows.
Leveraging security team risk assessments based on likelihood, impact, and other factors such as threat source, motivation, skill level and access – targeting sensitive and critical technology and information assets.
Federation leverages security team risk assessments that account for a wider range of factors than typical operational or enterprise risk assessments. Security teams look at likelihood and impact, but also threat source, motivation, skill level and access for threat vectors that target sensitive and critical technology and information assets. In addition, security teams orchestrate policy compliance to security configuration baselines on key assets to ensure they are aligned with international standards and technology vendor recommendations.
Leveraging security team risk assessments based on likelihood, impact, and other factors such as threat source, motivation, skill level and access – targeting sensitive and critical technology and information assets.
IT and security teams also rely on monitoring technologies that aggregate, correlate, and analyze information from a wide variety of systems across the infrastructure, network and application layers. They are proactively monitoring, and reactively assessing evidence that indicates instances of non-compliance, anomalous behavior, or potential attacks or breaches.
This level of granularity supports the development of a near-real-time picture of potential exposure, which is absolutely necessary for IT and security teams to do their job of protecting information assets. The results of both periodic and continuous risk assessments provide a deeper and richer color to operational risk, business continuity and audit, and demonstrate just how federation, when rolled into an enterprise view, can provide more accuracy and context around the size, scope and scale of risks to a business process.
Balancing coordination of shared IT, security and GRC data and resources and services with distributed business unit management of GRC to provide more centralized oversight.
Federated risk management establishes enterprise-wide risk taxonomies for risk identification, analysis and treatment, while supporting distinct risk taxonomies, methods and workflows that meet the needs of a particular organization. Risk information is aggregated, rationalized and normalized for enterprise risk reporting based on a common framework, a process for capturing incidents, findings and issues, and a workflow for executing remediation plans.
A flexible data model is table stakes for a successful federated approach. Technology can really help build a foundation for federation – in fact, federation can’t really be done well without it. A GRC data model needs to support the definition of organization entities, and libraries of shared policies, risks, controls and assets, but also be capable of extending to support unique data and workflows within a business unit or group. In this way, a GRC platform can act as a central repository that provides a single version of the truth.
Balancing coordination of shared IT, security and GRC data and resources and services with distributed business unit management of GRC to provide more centralized oversight.
Federation also requires both organization and role-based access that permits users from a federated unit to see only that which they are authorized to see, yet allows those in centralized functions access to rolled-up information across all units. A GRC technology platform that supports federation will be able to consolidate and rationalize information and processes in a way that single solutions cannot.
Furthermore, a federated GRC platform has the capability to reach into the technology eco-system and pull information in and send information back out to business, IT and security monitoring systems in order to provide a near-real-time view of risk and compliance – whether that data be unstructured or structured. Having actionable information all in one place means the organization can slice and dice information to provide analytics and true insights into when, why, and how to take on risk. The capabilities of a GRC platform that truly support federation are necessary in order to move up the maturity curve to GRC intelligence.
Bringing together organizational / business-line silos that may currently manage GRC in inefficient and ineffective ways.
Bringing different stakeholders together to understand and implement a federated GRC model may seem like a huge challenge when operating from the trenches, but in fact, when IT and security teams are aligned with the organization’s business strategy, and connected to the right stakeholders, federated GRC can be a natural extension of how the business works together to achieve superior performance. Leadership teams are driven to operate efficiently. They want to lower risks that may derail the business strategy and its operations, but also leverage opportunities to differentiate and grow. This can only be achieved when the organization understands and accepts risk in a more thoughtful and analytical way.
The value of GRC federation into IT and security.
In today’s world, many organizations operate in a constant state of change, giving more autonomy to business units that operate locally and globally. When an organization has a vision for an integrated, yet federated GRC initiative, establishing the right foundation, articulating the mission, and outlining the goals and objectives must be a collaborative process with the right stakeholders. Those organizations that are able to strike the right balance of federation can support the long-term maturity, readiness and strategic intent of the business and its key stakeholders. This approach is far more successful than those that don’t make the conscious choice to manage GRC as an integrated program.
The value of GRC federation into IT and security.
Over time, a GRC program can bring in shared services and centers of excellence to support common processes for policies, training, issues reporting and management across multiple federated business units in a way that delivers efficiencies and promotes cost savings through economies of scale. This ensures the continuity, agility and resiliency of common processes, and also supports training, collaborative learning, and a culture of continuous improvement.
Most importantly, managing resources in a coordinated way drives increased quality and provides the foundation for organizational transformation. For most organizations, it takes a series of small successes to create the groundswell of support needed to demonstrate that GRC initiatives must serve as part of an integrated program that relies on structure, teamwork and strategic investment. A strong GRC program comes together only once the right foundation has been put in place.