Recently, NAVEX hosted the webinar, “Risk and Process Management Framework: Lessons Learned in Getting Started,” featuring Cody Scott from Forrester. This session delved into how to break down silos between the cybersecurity and compliance function to better enable CISOs to integrate their efforts, data, and risk management capabilities with the broader governance, risk and compliance (GRC) program. The highly attended session solicited many questions from the audience, and in this article, Cody Scott answers the top three questions received about the convergence of cybersecurity and GRC.
What are the benefits of a GRC risk program?
Organizations implement GRC programs primarily to:
- Increase risk visibility across the enterprise. Risk pros contend with internal organizational silos and risk silos daily. As organizations seek to manage risk and compliance across different domains, they adapt their own relative assessment methods, making it difficult to normalize and contextualize these risks in aggregate. A critical financial risk in one business area becomes difficult to weigh against a critical IT risk in another. GRC platforms are a foundational tool for providing a “single source of truth” when it comes to tracking risk. This begins the process of overcoming organizational and risk silos internally.
- Transform GRC activities into a value-add program. Historically, GRC programs prioritized the “C” – compliance – which became conflated with another “C” – cost. Managing compliance, without managing risk, becomes a “check the box” (read: expensive) activity. But a value-driven GRC program is not a cost center; rather, it helps the firm avoid unnecessary costs and protects the value of the firm’s investments. Compliance becomes the byproduct of effective risk management when compliance objectives are met in a cost-effective manner.
- Improve decision-making with centralized data. GRC programs stagnate without frontline engagement. The program is only as effective as its data is current. GRC platforms solve this problem through streamlined user experience to ensure data is current and relevant for the decisions at hand. Through workflow and application integration, they also automate data gathering to source real-time data. With centralized data, GRC programs identify the complex interconnections among risk, compliance, and controls in their organizations, enabling them to be forward looking.
What common challenges should organizations be aware of when starting a risk program?
Teams face common challenges when starting out. Here are three major pitfalls to avoid:
- All tool, no process. Onboarding GRC tech is relatively easy. Building the internal program, processes, workflows, engagement, training, and skillsets is more complex. Deploying a tool is a critical step, but not the final step. Yet so many organizations stop at the technology layer. Don’t lose sight of the overall program requirements or your GRC program is doomed to fail. Pull a page from the program manager’s handbook and build a plan that addresses the multi-year needs for budget, staffing, stakeholder requirements, and organizational objectives. Planning for sustainable program growth is a crucial step to building your GRC program maturity year over year.
- Operating in a vacuum. Organizational (and risk) silos scale when GRC programs develop without central coordination. This is especially important for IT/security teams who are deploying GRC for specific IT management use cases but may not be factoring in the overall business impact. Start the conversations early with other parts of the business who rely on IT to achieve their objectives (i.e., Legal, HR, Finance). You’ll likely find gaps in your program today that can be added to the roadmap to strengthen the program in the long run, while bringing others in the fold.
- Only focusing on compliance (but calling it risk management). This is unfortunately true for many GRC programs. And it directly correlates with a GRC program’s maturity level – indicating whether the organization is compliance-led vs. risk-led. A compliance-led organization is fundamentally reactive, focusing on the immediate needs that all businesses have, but put less emphasis on proactive management via a risk-led approach. If your GRC program is only focusing on tracking compliance requirements or reporting on control assessments – you’re compliance led. To become risk led, develop an active strategy for risk assessment that incorporates compliance and control objectives within the risk assessment parameters.
What are the key steps to launching a successful GRC program ?
Teams can take a four-step approach to building a successful GRC program.
- Plan the program. Approaching a GRC program is no different than any other kind of program. Start with planning. Define the scope of the program. Setting the scope gives you a clear direction, establishes responsibilities, and creates alignment with strategic objectives. It’s also important to select your risk management framework, leveraging industry standards and aligning the process with the rest of the organization. Lastly, align your security controls with their risk management objectives. An effective GRC program ties control compliance data with the risk assessment process to understand relative likelihood and impact of a risk event.
- Connect technology and process. Integrating security telemetry from your security technology stack is vital to automating data and insights. Consider which tools contain relevant risk and compliance data in your environment, prioritize integrating their applicable feeds into your GRC platform, and define the applicable workflows where that data can augment your risk and compliance data. As you define these workflows, consider your risk assessment approach, and where data can be used to refine the overall workflow to reduce manual inputs and overhead.
- Build your support system. Tools alone won’t create a risk culture. Instead, create a community of practice. Formalize a group of risk owners based on how your organization operates and meet regularly to share information in the tool. This provides an opportunity to build a stronger GRC culture while also fostering open communication with key stakeholders. Use this feedback to further refine process workflows, formalize policies, and build the support structure for your GRC program to thrive.
- Continually improve. “What gets measured gets managed” – in other words, measure the performance of your GRC program. GRC teams are challenged to do more with less while still showing positive ROI. As you build out the program plan and consider the strategic objectives of your GRC program, document key performance indicators that help show value for the program. Benchmark program performance and report outcomes to leadership often.
To gain insights from the whole session, watch the webinar on-demand:
