Governance, risk and compliance (GRC) are three words that every IT, security or business decision maker should be familiar with. If not, you are putting your organization at risk.
But to implement a GRC strategy, you first have to understand what GRC is. Chris Gray, Optiv’s VP of Enterprise Risk and Compliance, breaks down each piece this way:
- Governance: What and how well an organization does what it does and why.
- Risk: Understanding where critical data, processes and operations are housed, along with an understanding of the organization’s appetite for loss.
- Compliance: Controls an organization implements to achieve compliance mandates.
“Risk is arguably the most important piece of GRC because it sets the framework for how a company should tackle governance and compliance, including the controls they put in place as well as how they’re governed,” Gray stated. “Risk management also happens to be one of the biggest obstacles for organizations today because it requires them to know where business-critical assets are and what the risk profile is for each. In a world where organizations are battling complex infrastructures and endless data sources, this is a tough thing to master.”
Security frameworks today tell organizations what to do, Gray added, but we are past the days when security was a “one-size-fits-all” solution, if that was ever possible. Today’s security framework has to be unique to each organization, based on its industry, its data and its overall needs. “This is why risk management is so important,” Gray stated. “Companies must implement security and GRC strategies based on their risk profile and what is best for their own business.”
Balance of Parts Won’t Be Equal
The three areas that make up GRC are not equal, or at least they won’t balance equally when developing a GRC framework, according to Thomas M. Farrell, Esq., who regularly deals with GRC issues through his firm, TMF Law Offices.
“Governance requirements and solutions exist independently of risk and compliance, and crop up both in smaller companies and in large ones,” Farrell explained. “Risk and compliance are more frequently inter-related, especially in the digital world, but risk-mitigation tactics (and programs) have an inherent value even when compliance matters are not involved.”
Risk analysis frequently implicates compliance, Farrell added. For example, environmental, health and safety audits may reveal OSHA compliance issues; however, sometimes the risk analysis is strictly an insurance or financial matter, but not compliance. Again, the balance is unique to each company.
The GRC Framework
So how do you determine what will fit into your GRC framework? Farrell breaks it down:
First, assume that there are governance matters requiring attention within your organization. This will include items such as up-to-date bylaws, a good conflicts policy, a board of directors and leadership that is kept informed in a pro-active manner, and the like. “Almost nobody does all of these things so it is safe to assume that something needs attention,” said Farrell. And if it’s not obvious what governance should cover, ask your company’s counsel.
Second, risk management starts with your insurance company. Your carrier should send an auditor or inspector of some kind to do a risk analysis and provide a list of suggestions to fix any problem areas. “If more work is needed, trade associations can be helpful,” Farrell stated. Perhaps the most crucial step in risk mitigation is risk identification. Regular audits are necessary to see where vulnerabilities lie and what actions are necessary to mitigate them.
Third, compliance issues will arise from the two analyses just described, but also from the alphabet of regulatory schemes: SEC, OSHA, NLRA, PCI, HIPAA, etc., depending on your industry. Farrell recommends that both counsel and the insurance carrier should assist the enterprise meet compliance requirements.
Finally, the framework has to address the coming General Data Protection Regulation (GDPR). GDPR is a European Union standard for collecting, storing, transferring and deleting personal data and is a core component to any GRC developed today.
Do You Need GRC?
Every company should implement a GRC plan, said Gray, but how granular, comprehensive and complete each pillar of the plan needs to be is dependent on the specific business.
“Security teams and business executives must work together on GRC frameworks. Security professionals must understand business goals and processes, so they can create security and GRC programs that align with them. On the flip side, executives should understand the value in security, so they can help enforce important programs and processes.”
And because GRC programs should be aligned with business goals, it’s important for security teams to understand that they are fluid in nature – as the business changes, so should GRC strategies.
Ignoring the consequences of non-compliance can be devastating for an organization, especially in highly regulated industries like life sciences, health care and financial services, according to Ajay Khanna, data management and compliance expert, and VP of Marketing at Reltio.
“The cost is not only hundreds of millions of dollars in penalties, but also a tarnished corporate image,” Khanna said. “Today, consumers pay attention to an organization’s values and ethics. Any blemish in compliance records can have an impact on bottom line. A proper data management strategy, along with technology for necessary risk identification using advanced analytics, is crucial in making sure organizations are compliant with current regulations and can quickly implement any future requirements.”
Overall, what the enterprise needs to know about GRC is that the framework you should have is the one that fits best with your culture and objectives, Dallas N. Bishoff, director of security services with PCM, Inc., explained.
“What does the organization want to get out of GRC?” Bishoff recommended asking yourself this question. “Governance is effectively how you are going to set your objectives, and translate that into actionable, tactical action plans. Risk management is all about identifying what might go wrong, and determining how the risk is going to be managed. And when compliance management applies, effectively someone else, generally a regulatory body, has determined what you are going to do.”
Successful GRC programs require significant business involvement to help identify, prioritize and mitigate risks, Scott Goolik, VP of Compliance & Security for Symmetry Corp. concluded. It’s up to IT to provide the infrastructure and help automate the processes, but it’s up to business decision makers to ensure how to best address risks and controls.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba
