Governance, risk and compliance (GRC) refers to a strategy for managing an organization’s overall governance, enterprise risk management and compliance with regulations. Think of GRC as a structured approach to aligning IT with business objectives, while effectively managing risk and meeting compliance requirements.
A well-planned GRC strategy comes with lots of benefits: improved decision-making, more optimal IT investments, elimination of silos, and reduced fragmentation among divisions and departments, to name a few.
Here are answers to some common questions related to GRC.
Is it “governance, risk and compliance” or “governance, risk and control”?
According to Joanna Grama, director of cybersecurity and IT GRC programs for EDUCAUSE, the “C” in GRC refers to compliance, but she appreciates why some people equate compliance with control. In the IT environment, GRC has three main components:
Governance: Ensuring that organizational activities, like managing IT operations, are aligned in a way that supports the organization’s business goals.
Risk: Making sure that any risk (or opportunity) associated with organizational activities is identified and addressed in a way that supports the organization’s business goals. In the IT context, this means having a comprehensive IT risk management process that rolls into an organization’s enterprise risk management function.
Compliance: Making sure that organizational activities are operated in a way that meets the laws and regulations impacting those systems. In the IT context, this means making sure that IT systems, and the data contained in those systems, are used and secured properly.
Meeting compliance involves IT controls, as well as auditing those controls to ensure they’re working as intended. Organizations also use controls to manage identified risks. The term “GRC” came about in the early 2000s after many highly publicized corporate financial disasters, which resulted in enterprises scrambling to improve their internal control and governance processes (Gartner, 2016).
How does GRC work?
Grama says that organizations develop a GRC framework for the leadership, organization and operation of the organization’s IT areas to ensure that they support and enable the organization’s strategic objectives. The framework specifies clearly defined measurables that shine a light on the effectiveness of an organization’s GRC efforts.
Although there are many good software options available to help streamline GRC operations, GRC is more than a set of software tools.
Many organizations consult a framework for guidance in developing and refining their GRC functions rather than creating one from scratch. Frameworks and standards provide building blocks that organizations can tailor to their environment. According to Grama, COBIT, COSO and ITIL are the big players in many different industries.
What is key to a successful GRC implementation?
The decision-making, resource and portfolio management, risk management, and regulatory compliance functions included in a GRC framework will not be effective unless the organization’s executive leadership supports cultural change.
“Implementing a framework will never be successful unless the organization’s culture evolves to support GRC activities,” says Grama.
Who employs GRC?
GRC can be implemented by any organization – public or private, large or small – that wants to align its IT activities to its business goals, manage risk effectively and stay on top of compliance.
“We are seeing a big push in higher education to implement GRC frameworks,” says Grama, “not necessarily to meet a revenue goal, but to ensure that institutional missions of teaching, research, outreach and student success are met efficiently and effectively.”
What are the top GRC certifications?
Professionals with a GRC certification must juggle stakeholder expectations with business objectives and ensure that organizational objectives are met while also meeting compliance requirements. That’s an incredible amount of responsibility, and it’s necessary in today’s business climate.
All kinds of job roles require or benefit from a GRC certification, including CIO, IT security analyst, security engineer or architect, information assurance program manager and senior IT auditor, among others.
Here are our top picks for GRC certifications:
- Certified in Risk and Information Systems Control (CRISC)
- Certified in the Governance of Enterprise IT (CGEIT)
- Project Management Institute – Risk Management Professional (PMI-RMP)
- ITIL Managing Professional and Strategic Leader
- Certification in Risk Management Assurance (CRMA)
- GRC Professional (GRCP)
Learn more about these certifications and how to choose the right one for you.
What is a GRC tool/solution and what does it do?
An IT GRC solution enables you to create and coordinate policies and controls and map them to regulatory and internal compliance requirements. These solutions, which are usually cloud-based, introduce automation for many processes, which increases efficiency and reduces complexity.
There are many GRC solutions on the market. IBM OpenPages GRC Platform, ServiceNow, CA Clarity, MetricStream and Rsam’s Enterprise GRC are a few examples of highly rated solutions. But they come with hefty price tags, too. More affordably priced (and even free) solutions are available, but they may lack the broad feature sets of higher-priced competitors.
Before looking into any software solution, you need to prepare your environment first. That means assessing your organization’s risk and examining controls. Do you have adequate controls in place? Are existing controls working? Add controls where needed and fix those that aren’t delivering as intended.
You also need to create a GRC framework. Although GRC tends to focus heavily on IT, implementing a strategy involves an entire organization, and requires a hard look at all of the people and processes that will be affected.
Main GRC Mistakes
Governance, risk and compliance (GRC) — the very words cause groans among employees and leadership alike. They conjure thoughts of expansive spreadsheets and endless meetings where acronyms like KRIs and KPIs are bandied about. Quite often, GRC exercises are seen as a waste of time or the purview of the CFO and internal audit.
But this is not the case. With regulatory obligations and penalties for non-compliance increasing, CIOs and IT leadership must push for effective risk management, compliance and governance within their organizations. These efforts involve areas that are separate from IT (for example, legal and finance) but are nonetheless critical for a GRC program’s effectiveness.
[ Learn the 10 old-school IT principles that still rule and the 12 ‘best practices’ IT should avoid at all costs. | Find out what your peers are up to with our report: State of the CIO: IT-business alignment (finally) gets real. | Get the latest insights by signing up for our CIO daily newsletter. ]
The days of separate or non-existent GRC programs are over. IT and business GRC must be incorporated as a whole. To do otherwise adds tremendous risk and needless uncertainty. Between unforgiving regulatory environments at home (HIPAA, PCI, FERPA) and abroad (GDPR), customer data privacy expectations, as-a-service platform risks, cybersecurity threats and the ever-changing global marketplace, an established and effective GRC program is a primary means of not only demonstrating operational due care but also reducing costs, increasing profitability and avoiding running afoul of regulatory regimes across international markets.
“The top two GRC shortcomings I see are organizations not being aligned on their strategy and placing a much stronger focus on compliance versus effective risk management,” says David McKeough, vice president of CrowdStrike.
An organization with the appropriate GRC components in place is one with an overall strategic plan that guides executive decision-making. Projects and initiatives are weighted and evaluated based on business-driven goals, risks are managed and measurable, and compliance burdens are known and communicated.
Following are 10 common pitfalls of organizations that struggle to create effective governance, risk management and compliance strategies.
There is no Organizational maturity
The organisational maturity problem has stifled many GRC programs. When your organization lacks even the basics of program, project, asset or change management, you will not know what assets you have (hardware, software, and data), making it extraordinarily difficult to stand up an effective GRC program.
Does this sound familiar? At the quarterly leadership briefing, you hear about several new acquisitions that require extensive infrastructure and system integration efforts. Oh, and by the way, the money for this is coming directly out of the IT department budget.
Or, more commonly, IT resources lurch from one fire to another, always in a reactive posture. Project work is done on the side as IT leadership scrambles to cover the latest “critical” project that just swept aside yesterday’s must-have initiative.
Data practices are another area where organizational immaturity can rear its head. Yes, you may recognize that data has become one of, if not the most, valuable asset your company has, but if you don’t know where your critical data lies, then how do you secure it?
“When companies have little idea what data they have, do not know where it is and do not know what their knowledge workers do with it, this is a fundamental problem,” says Peter Aiken, founding director and owner of Data Blueprint.
Recommendation: To build organizational maturity the corporate culture must support it. Key executives must support accountability and transparency in their departments. Those stakeholders, managers and staff who do not accept this change must be held accountable to the new reality.
Technology and business silos are common problems too
IT and the business must be aligned for GRC to work effectively. Unfortunately for many organizations, this is not the case, as critical software or infrastructure implementations fall out of the blue, but suddenly have to be done right now. Or planned budgets and resource allocations are completely blown. Or the business never seems to communicate with IT.
When corporate leadership introduces new goals that IT has to implement hastily, there is little room for operational risk discussions between the business, IT and compliance departments.
Recommendation: Establish committees and channels of communication to cover both executive and technology tracks with crossovers to ensure reliability.
Lack of cohesive standards, policies, procedures and guides
Perhaps your critical IP is stored on consumer-grade cloud storage by various employees. Isn’t there a corporate policy that mentions it’s a no-no? You’d be surprised how often there isn’t. Or, the new organization you merged with still has no policies, or old ones, in place. Plus, more often than you might think, users have not been educated on enterprise policies and how it impacts their workflow. Not to mention the fact that policies often exist on multiple file shares and in SharePoint across the enterprise, making them extremely difficult to follow and thus holding people accountable. Any lack of centralization, clarification and accountability when it comes to GRC poses a significant risk.
Recommendation: Policies should be concise, centralized, communicated and easily accessible to all employees. The documents themselves must be simple, concise and readily understood. Enterprise staff needs to be trained on them as well.
No accepted definition of risk within the enterprise
What does risk mean to the enterprise? The definition can be surprisingly hard to nail down. Often, only financial risks or generic risks that have not been evaluated for applicability to the enterprise are reported to the board of directors. And if you have disparate risk scoring methodologies within your organization, that makes it all the more difficult to report risk accurately to the board.
Recommendation: Ensure that all business functions agree on their definition of risk. Also, there should be one risk management program that incorporates all risks (IT and business) reported to the board of directors.
Reliance on silver bullet technology
There are many GRC tools available for the enterprise, from simple spreadsheets to multi-million dollar corporate systems. However, if you don’t have a robust GRC framework in place, no technology can manage risk for you.
Recommendation: Resist the urge to invest in costly tools. Establish and normalize your GRC program first, then ascertain which tools fit your needs. Consider how you can use already implemented tools to meet your needs in your environment.
Regulatory confusion is a headache
Do you genuinely know what regulatory frameworks impact your enterprise? For example, your state and local privacy laws will take primacy over HIPAA guidelines in the event of a data breach if they are more stringent. What about Dodd-Frank? Are you covered by Sarbanes-Oxley, PCI-DSS, HIPAA, GDPR or a host of other regulations? All too often, organizations fail to understand the full regulatory environment in which they operate.
Recommendation: The regulatory process should be co-owned and documented by legal and compliance with clear lines of communication to IT and business.
Lack of ultimate accountability
The buck has to stop somewhere. So who owns the GRC? It starts with tone from the top. Executive leadership must own and support an effective GRC program. From there, GRC accountability cascades to places like application ownership, data ownership and the escalation paths that are required.
Recommendation: For a GRC initiative to flourish, executives must communicate their support. This isn’t a one-time statement. GRC initiatives must be driven continuously from the executive suite with ultimate accountability held at the board level. The CFO’s office is a good starting point.
A portfolio management tool here, a regulatory tool there, spreadsheets, and dashboards, soon you are swamped with conflicting information. Hours can be spent trying to normalize hundreds of GRC data points into one system. Time to simplify.
Recommendation: If your enterprise GRC program is overwhelmed with dashboards and tools, it’s time to simplify. Work closely with your GRC team to select the best tool(s) for the job and then work to reduce the system bloat. Let your business requirements drive your technology investments and get a roadmap done.
Lack of program and project investment management
It’s hard to have a GRC program when projects or programs get spun up without understanding the investment required. What initiative receives the green light? Do you know your maturity across functions?
Recommendation: Board engagement and initiative management are critical for the visibility required to obtain the funding to support your GRC efforts. This allows you to nail down an effective portfolio and investment management strategy.
No viable metrics for success
So how do you know if your GRC program is working as intended? Is it reducing risk, meeting compliance goals and hitting program initiatives? Enter key performance indicators (KPIs), key business questions (KBQs) and key risk indicators (KRIs).
Recommendation: Take the top five or ten business processes (KPIs or KBQs) using the SMART criteria — specific, measurable, attainable, relevant and time-bound. Ensure they are aligned with business value and have the critical decision makers identified. Assign measurable KRIs for these processes. Now monitor and track the quality of data programmatically.