Governance, risk, and compliance, or ‘GRC’, is not new. Every organization operates under some level of one or more of these concepts. The major differences between organizational GRC strategies typically lie in the degree of implementation and maturity of the program. For example, risk frameworks may differ or be legislated, depending on the industry the business operates in. Maturity generally ranges anywhere from informal and undocumented to documented, consistent, and proactive (using CMMI rating levels). In addition, the budget that an organization devotes to its GRC program has a direct impact on implementation and maturity. With these factors in mind, the goal of any organization should be an integrated and seamless GRC strategy and program that supports the business mission, risk tolerance, and IT capabilities within an approved budget.
Developing or assessing an organizations GRC strategy should begin with an understanding of the business mission and desired outcomes. An organization that strives to provide a product that the end-user is responsible for securing will clearly have different goals than an organization that prides itself on the security of the data it collects. In the first example, an extensive GRC strategy could result in costs that are not recaptured through the sale of the product, resulting in excess overhead, a confused organizational security culture, and unclear direction. In the second example, an immature GRC strategy could result in data loss, fines (e.g. non-compliance with HIPAA, PCI DSS or GDPR), and reputational damage that could span decades Thus, understanding the business mission and ensuring that the GRC strategy supports that mission is not only paramount to the success of any GRC program, but also can provide key foundational support of the business itself. GRC doesn’t just protect the security of systems, it also protects the organization and ensures controlled and strategic spending on enhancements specifically designed to support the business mission.
In a similar vein, risk tolerance is a key input to any GRC strategy. Understanding risk tolerance provides clear mapping to where GRC efforts should be focused throughout the organization. An organization with moderate tolerance might evenly distribute GRC resources across people, processes, and technology. An organization with a very low risk tolerance may distribute GRC resources more heavily in the technology space where risk is less dependent on people and processes and more easily controlled with configuration settings. Risk tolerance also helps inform budgetary decisions. An organization with higher risk tolerance may decide to spend less on GRC resources and the resulting strategy should be fully aligned with the available budget. Failing to align GRC strategy to risk tolerance can result in many problems from underspend and failing to implement the programs necessary to reduce the residual organizational risk to overspend or worse, failing to implement programs or initiatives required to protect the organization in the current threat landscape.
Spanning the business mission and the organizations risk tolerance are its IT capabilities. Organizations that have control over their IT, such as through data center ownership or custom application and supporting infrastructure in the cloud, will need more comprehensive GRC strategies than organizations that rely on infrastructure owned and managed by third parties or vendors, such as subscription services. Of course, many organizations use a combination of IT approaches and the GRC strategy should incorporate goals and outcomes for all of them. That said, GRC strategy must begin with a clear current state of capability. Organizations are often quick to assume aggressive GRC strategies to quickly reduce risk. However, a measured roadmap that incorporates current state with strategic, risk-based enhancement over reasonable timelines has a much higher probability of success. Keep in mind that it is not just IT capability that needs enhancement. Budget requests need to be accepted. Ensuring the people that administer the IT are trained and proficient is paramount. Planning for parallel IT and phased cutover should be considered, depending on the ability of the end-user community. A GRC strategy that is overly aggressive can cost more in time, resources, attrition, morale, and confidence in leadership. A GRC strategy that is too slow or fails to consider existing IT capability may be redundant and inefficient and, again, lead to loss of confidence in leadership.
Point B understands that GRC should not exist in a black box. An informed and effective GRC strategy is one that is supported by organizational leadership and certified, through its support of the business mission and risk tolerance. Point B helps leadership teams identify and then fulfil GRC outcomes that are customized, strategic, and in support of leadership vision.
To help organizations mature their GRC strategy Point B offers many capabilities, from vCISO – a highly experienced senior Information Security specialist who provides advice and direction to an organization’s teams, to full GRC assessment and roadmap delivery – from clear and actionable insights to leadership to implementation of GRC or information security and technology enhancement projects, and everything in between.
Point B understands that every business is unique. We have proven success in partnering with our clients to enable smart, scalable growth and maturity in the GRC and technology transformation space.