What is GRC?

The term “GRC” (Governance, Risk, Compliance) originates from the Open Compliance & Ethics Group (OCEG) and is defined as “the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity.” But what does that mean? 

GRC encompasses any system, process, action, or activity within an organization that aims to support (not burden) the company from reaching it’s Performance goals. This includes internal audits, meeting industry compliance, managing risks, the legal & financial aspects, your IT & HR departments, and more.

For every industry & location, the exact definition of GRC will vary however we are going to simplify it down to the basics that cover any business that manages any form of data & the steps that are taken to prevent & mitigate harmful events. Let’s dive into Governance, Risk, & Compliance to discuss what each aspect means & how it affects an organization.

Governance

Governance is the act of ensuring that organizational activities are aligned in a way that supports the organization’s business goals. 

1. How is the organization’s security going to be monitored?
2. How does the organization know that things are working?
3. Are there new requirements? Is there Mandatory reporting?
4. Are there external industry, government, or regulatory standards to consider?
5. Are the systems & processes improving the security standards over time?

From monitoring internal audits to the systems being used to store data, Governance is the plan you put in place for who does what throughout the day & the processes for reporting on these activities.

Risk

Risk is making sure risks & opportunities within the business is identified and addressed in a way that supports the goals of the organization.

1. What types of risks does the organization face while protecting Personal Identifiable Information (PII), Intellectual Property (IP), or financial information?
2. How do you make risk management effective?
3. Who is interested or could use the info if it’s stolen from internal or external sources whether unintentional or malicious?
   
4. Do you have COOP (Continuity of Operations Plan) in place?

In reality, businesses & government entities need to be monitoring & actively working to reduce their risks of malicious attacks on their assets. Risk in terms of GRC is about knowing where potential cyber attacks may happen, who may be involved in the attack, and how much potential loss the company will lose (capital, information, downtime).

Compliance

Compliance is making sure that the business activities are operated in a way that meets the laws & regulations impacting those systems.

1. Are there specific industry, government, or regulatory requirements that dictate or recommend criteria that your organization’s security controls must meet?
2. Do employees need to be vetted prior to handling certain forms of data?
3. Is a certain level of Cyber Insurance required for the business in case of a breach?

While these standards are typically backed by local, state, & federal laws, some industries also have “best practices” that the company is highly recommended to follow. An example of legally required compliance is the Health Insurance Portability and Accountability Act (HIPAA) where medical data is required to be managed at a higher standard of privacy and protection. Other industry specific standards include the handling of financial investment data or mortgage information.

How does GRC work? Who employs GRC?

GRC is a constant process for businesses, analyzing the various risks, compliance standards, and processes to make consistent improvements to align the IT strategy with the business goals and objectives. GRC is a top down approach and requires high-level sponsorship from c-suite members. It is up to every staff member to take part in the development & on-going support of the security strategy. Developing healthy communication channels throughout the organization increases the effectiveness of a GRC program.

Typically, the company will begin developing a GRC strategy after their first issue but often times that proves to be too late. Every business should begin to develop their strategy (or at least a framework) as soon as they start the business, more specifically, when they start to manage any data. Ensuring trust in the data is the most important goal of the governance program. By establishing a well-written & thorough plan, businesses are already taking the first steps in reducing their risks & meeting any compliance & professional standards. 

Sure, companies can utilize software programs to assist in developing the strategy & streamline GRC operations but that is only a portion of actively managing the strategy. It is up to BOD and C-suite members to manage the governance program through it’s entire lifecycle. 

1. Define – By setting organizational policies for operations, technologies, and configurations, businesses can easily manage internal & external factors that can cause malicious events.
2. Improve – The company is responsible for continuously working towards the ideal state of on-going risk reduction. The organization can do so by improving the systems & software overtime while also conducting Security Awareness Training during the employee onboarding process
3. Sustain – Ensuring the security posture doesn’t degrade over time is the final step in developing a GRC Strategy. The organization can reach sustainability by instituting an on-going auditing & monitoring process to ensure compliance with company standards & by offering on-going training for employees in Cyber Security. 

GRC is ultimately a set of guidelines & compliance standards that a company implements in conjunction with every other aspect of the business. As you develop more software, hire new employees, & increase the amount of data that you manage, the company’s leadership team should consider the security protocols & risk reduction strategies outlined in your GRC strategy. These activities work in conjunction with normal business activities to grow the company while also keeping it protected from unintentional & deliberate malicious events. 

Do’s & Don’ts of a Successful GRC Implementation

When developing a GRC strategy, there are many basic principles to follow for the efforts to be successful in protecting your data. While every department needs to be included in your GRC strategy, it is very important not to approach each department individually. By “siloing” your strategy, you’re actually hindering your risk reduction strategy & increasing the costs of maintaining the security. Another way of looking at this is that your company is an ecosystem & focusing on the individual components makes it difficult to see how that system is functioning as a whole. Unless you consider the entire ecosystem, it is likely that you’re choosing counter-productive objectives, sub-optimal strategies, and the performance isn’t optimized.

To build a successful GRC Strategy, it takes more than developing the frameworks, guidelines, & software you’re using. A successful GRC Strategy requires real cultural change from the C-Suite execs down to the temp employees. It requires on-going risk monitoring, regular auditing of data, & continuous Security Awareness Training to all of the employees. While there are Help Desk & other GRC tools to help create and coordinate policies and controls, these software tools are only able to automate the processes to increase efficiency & reduce complexity. Utilizing these tools can make it easier to prioritize the action items for reducing risk & categorize them between 1) Easiest to implement mitigations & 2) Highest Business Impact & Highly Exposed Systems. Implementing a basic Security Awareness Training is something that all businesses can do today to help reduce their risks for security breaches while establishing advanced security protocols to protect HIPAA data may take more time to develop. To help businesses get started in determining which practices they should address sooner than later, Microsoft has provided some valuable insights in Module 4a of the Microsoft CISO Workshop.

Our 5 Step Checklist for starting your GRC Strategy

While it will take more than 5 simple steps for creating & maintaining a successful GRC Strategy, we wanted to provide them to help you get started in thinking through the process.

1. Develop roles and responsibilities for GRC program
2. Metrics to measure GRC program
3. Strategy for objectives, resources, and constraints
4. Costs of your data – physical costs, insurance plans, costs of unrecoverable data
5. Disaster Recovery & Business Continuity Plan – what to do when things go wrong

To learn more about implementing a successful GRC Strategy or to schedule a consultation to discuss your organization’s Cyber Security needs, send us a message or give us a call today!

GRC Sources:

Cyber Hygiene Newsletter by OQP Solutions

Subscribe to our mailing list to stay up to date with all the latest trends, tips, tricks, & industry news. Coming Soon: Cyber Hygiene Webinars.