Governance, risk, and compliance

In this section, we’ll look at the concepts of GRC, their interrelationships, and how to differentiate among them.

What is GRC?

GRC is an acronym that stands for governance, risk, and compliance. It can be defined as a common set of practices and processes, supported by a risk-aware culture and enabling technologies that improve decision-making and performance through an integrated view of how well an organization manages its unique set of risks.

A GRC program aims to provide organizations with an overarching framework that can be used to streamline different organizational functions, such as legal, IT, human resources, security, compliance, privacy, and more so that they can all collaborate under a common framework and set of principles instead of running individual functions and programs.

Governance is the organizational framework that helps the stakeholder set the tone for the stakeholders on the direction and alignment with business objectives. These are the rules that run the organization, including policies, standards, and procedures that set the direction and control of the organization’s activities. These stakeholders can be a board of directors in large companies or senior executives in small and medium enterprises.

Risk or risk management is the process of optimizing organizational risk to acceptable levels, identifying potential risk and its associated impacts, and prioritizing the mitigation based on the impact of risk on business objectives. The purpose of risk management is to analyze and control the risks that can deflect an organization from achieving its strategic objectives.

Qualitative risk is defined as likelihood * probability of impact, whereas the Factor Analysis of Information Risk (FAIR) methodology is widely used for quantitative risk assessment in matured organizations.

Compliance requirements for an organization ensure that all obligations including but not limited to regulatory factors, contractual requirements, federal and state laws, certification requirements such as ISO 27001 or SOC 2 audit, and more are adhered to and any gaps in compliance are logged, monitored, and corrected within a reasonable timeframe. The entire organization must follow a standard set of policies and standards to achieve these objectives.

An integrated approach to GRC that is communicated to the entire organization ensures that the main strategies, processes, and resources are aligned according to the organization’s risk appetite. A strong compliance program with the sponsorship of a senior leadership team is better suited to align its internal and external compliance requirements, leading to increased efficiency and effectiveness.

In the next section, we’ll learn about the relationship between these concepts.

Simplified relationship between GRC components

I would not blame you if you found the preceding concepts tedious and confusing. It took me a good 5 years to make sense of all the concepts. The following paragraph should serve as an adage for the preceding concepts:

Governance is guidance from stakeholders (board of directors or senior leadership) to put the processes and practices in place to optimize (not reduce) the risk and comply with external and internal compliance obligations.

The following figure shows a simplistic view of GRC. It should be noted that the activities included under each pillar are not holistic and an organization may have an overlap between these activities. You should also be mindful that these activities are not standalone programs but need inputs from other pillars to be implemented successfully:

Figure 1.1 – Relationship between the components of GRC

Now that we know what GRC entails, we’ll learn about the importance of various factors for a successful GRC program in the next section.

Key ingredients of a successful GRC program

A successful GRC program requires collaboration across all layers of the organization. Three major components are a must-have for successful implementation:

• Sponsorship: A successful GRC implementation should have the sponsorship of a senior leader such as a Chief Information Security Officer (CISO), Chief Risk Officer (CRO), Chief Information Officer (CIO), Chief Financial Officer (CFO), Chief Executive Officer (CEO), or someone else. These sponsors have a wider overview of not only the organization’s risk but also the industry peers across multiple verticals. Sponsorship from leadership is also important to have a risk-focused culture.
• Stewardship: The GRC program requires participation from all businesses and functions of an organization. Stewards play an important role in the GRC program and make information sharing across the organization easier for developing a common understanding across the organization and making relevant information available for everyone. These stewards, while translating the requirements from governance, are better able to target and address business risks. Stewards of the program are better suited to create business-oriented, process-based workflows to identify risks across functions, analyze for cascading risks, and treat them accordingly.
• Monitoring and reporting: It is easy to roll out a GRC program across the organization, but over time, it becomes extremely difficult to keep pace with internal and external regulations without continuously monitoring risks and controls without efficient risk indicators. It is important to enable continuous monitoring of risks and controls by using automated risk indicators and keep the stakeholders abreast of risk in business terms through business-focused indicators and reports periodically circulated to the appropriate audience with actionable insights.

An important pillar of the monitoring function is to monitor the security controls of critical vendors and perform an ongoing assessment for each department and functional group across the enterprise to provide a holistic real-time view of risk.

In the next section, we’ll learn about how to differentiate between governance and management.

Governance is not management

Those new to the GRC domain often confuse governance with management and think both are the same; however, in the realm of GRC, governance and management serve very different functions.

Governance provides oversight and is highly focused on risk optimization for the stakeholders. Governance always focuses on the following aspects:

• Is the organization doing the right things?
• Are these things done in the right away?
• Is the team getting things done on time and within budget?
• Are we continuously optimizing the risk and getting benefits?

Once these questions have been answered, the management team focuses on planning, building, executing, and monitoring to ensure that that all projects, processes, and activities are aligned with the direction and business objectives set by governance. It is expected that as management progresses in achieving these goals, the results are shared with governance (board of directors) periodically and additional inputs are taken into consideration.