Governance, Risk and Compliance (GRC)

Anil Ranjan, Head IT, Macawber Beekay Private Limited | Thursday, 28 December 2017, 06:22 IST

Governance, Risk and Compliance (GRC) brings together the management of overall governing strategies, risk mitigation, and compliance processes. GRC is the inte­grated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.GRC as an acronym denotes GOVERNANCE, RISK, and COMPLIANCE — but the full story of GRC is so much more than these three words

For successful & Effective GRC implementation, a single framework of the GRC program should be there in the organization that must include:

1. Centralized repository of approved policies, proce­dures, Standard and Guidelines with version control, data classification (Public/Private/Confidential/Opera­tional) and policy owner defined.

2. Combines data between multiple departments, in­cluding business, HR, IT security, compliance, and au­diting.

3. Includes a list of all the regulatory, Contractual and other compliance requirements.

4. Risk analysis, risk assessments, risk register, loss and incident database risk tolerance and treatment.

5. Requirement management, control testing, findings and exceptions & evidence management

6. Presents relevant reports to the board and senior man­agement.

7. Proper and formal Information Security awareness training and advertisement to change the organisation culture for compliance.

8. Top-Down Governance Approach.

Effective GRC implementation Challenges:

Because each organization is unique, there is no sin­gle approach towards implementing an effective GRC framework. There are several common challenges busi­nesses face when it comes to developing and implement­ing an effective GRC strategy.

1. IT governance, risk management discipline, informa­tion security policy and legal compliance requirements all place a burden on companies to ensure their govern­ance, risk and compliance (GRC) policies protect cus­tomers, staff and stakeholders.

2. Reducing risks in low budget becoming a key chal­lenge for businesses, especially when the number of cy­ber-attacks keeps on rising.

3. Small businesses &government organizations face the same threats as large corporations, and have the same duty of care to achieve compliance. Unfortunately, many businesses – both big and small - don’t have sufficient technology automation or processes to prevent attacks.

4. GRC systems and software are often seen as too ex­pensive and not relevant enough, especially for smaller organizations.

5. No single vision, no compliance culture: The inher­ent culture within the majority of organization is one of silos, where each function or business unit has its own information, its own processes and its own set of com­pliance regulations to meet. This makes developing an effective GRC framework difficult, as there is no single approach to GRC embedded within the culture of the organization. Every business unit has its own objectives within the main organizational strategy, but the fact is everyone needs to achieve the same objective. However, the processes used to achieve this are different across business units, which may lead to a mismatch at differ­ent levels regarding the overarching business objectives.

6. not a Top-Down Governance culture:

Governance culture needs to come from the highest level and then filter down through the organization if it is to have any chance of being successful. The simple truth is that if the highest-level executives do not take compliance and risk management seriously then nobody else will. Communication is vital to achieve buy-in through­ out the organization, and once again, this communica­tion needs to come from the top, and be delivered to all stakeholders, both internal and external.

Changing the mindset of people cannot happen over­night. It is an ongoing process that involves developing a roadmap and appropriate processes; having the right technology; educating and training people; and having the board of directors setting an example that filters down to the rest of the organization to follow.

Automating GRC systems is an effective way to imple­ment a robust information security management system in low budget. Senior management and those legally re­sponsible for organization can spend more time leading growth, instead of worrying about compliance and data security. Everyone benefits from an automated compli­ance but there are challenges.

IT security systems won’t automate themselves. Be­fore writing a new IT security policy or buying new soft­ware, we should analyse the people and current process­es, need to check how staff currently manage and treat sensitive data (e.g. customer, financial and company sen­sitive data)? How many vulnerabilities are there? How these vulnerabilities can be exploited? data protection procedures and existing internal controls.

Implementing an automated GRC system means follow­ing steps at least:

1. Define what matters. Does this mean protecting data? Complying with regulatory requirement? Keeping in­surance costs low, or reducing the amount of time spent doing admin work?

2. Risks Identification: Do the risk assessment and find out vulnerabilities in current processes and systems.

3. Design a plan. Put together a plan that brings togeth­er the people who interact with security on different lev­els (e.g. lines of business, HR, finance, physical security, legal, business continuity, IT and of course information security), so that it covers every aspect of the business.

4. Start small, focusing on key processes. Creating a GRC roadmap isn’t easy. It does take time. Essential starting processes includes: policy framework; controls framework (start with an industry standard such as ISO27001 or NIST 800-53); risk management; excep­tions management; asset management.

5. Continuous monitoring, review and improvement: GRC automation should be a proactive approach, in­stead of relying on reactive models. Constant monitor­ing and review is a lower price to pay than fines, dam­aged reputation and lost customers.

6. There must be involvement of everyone who influ­ences or is involved with data security, including front-line staff.

One thing is certain –We never can ignore risk and compliance. Government regulators will continue to force through tighter regulation. Client/Customer/ stakeholder are requiring stronger controls within their relationships. The globalization of business introduces significant risk with more points of vulnerability and ex­posure to the organization.

AddThis Sharing Buttons

Share to TwitterShare to FacebookShare to Linked­InShare to Google+