GRC and Cyber Security Must UniteAdd bookmark
Governance, Risk, and Compliance (GRC) are necessary functions within enterprises but businesses tend to structure and run them differently. For example, in some companies, GRC operates as three separate, siloed functions. Other companies have a GRC function that includes GRC specialists if not GRC certified professionals.
Even when GRC operates as a combined organization, cyber security – another risk function – tends to operate separately. One of the reasons for that is because GRC functions are viewed as business functions while cyber security is viewed as more of an IT (technology-oriented) function. However, as any cyber security incident demonstrates, the scope of risk fallout tends to impact more than one function simultaneously.
Governance is often thought of synonymous with data governance, but corporate governance has a higher-level responsibility. Corporate governance balances the interests of various stakeholders and it helps the company realize its strategic objectives through frameworks, rules, practices, processes and performance measurement, among other things.
In a data-centric context, governance helps ensure that only authorized parties have access to the data they wish to use. Data governance rules eclipse compliance because the use of data is also governed by laws and regulations.
Traditional risk functions have focused on financial risks. Typically, this function has worked closely with, if not reported to, the CFO. Financial risks take several forms including vendor risks, business continuity risks and indemnification (insurance).
Traditional risk management can sometimes be at odds with other groups, particularly when it's viewed as an obstacle to innovation. It's therefore important to determine what an organization's risk appetite is and to innovate within the scope of it. For example, Amazon has had some spectacular successes and failures because it was willing to take on significant risks to its bottom line, stock price and reputation.
Compliance focuses on legal and regulatory compliance. This function must understand which outside rules the organization must adhere to and translate those rules into practices and processes that ensure compliance.
Compliance is subject to audits internally and by third parties which may be consulting firms that are verifying whether their clients' companies are compliant. Alternatively, a regulatory auditor, may be doing the same. The various audits tend not to be mutually exclusive undertakings since the last thing a company wants is for a government auditor to discover a problem. If that happens, then the company will likely be subject to regulatory fines and if it's a public company, they'll have to disclose the issue to shareholders. If the violation has also harmed customers (e.g., PII misuse), lawsuits could also result.
Modernly, compliance, like governance, has been strongly associated with data given the EU's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). However, the compliance function is broader.
Enterprise Risk Management
Enterprise risk management (ERM) combines GRC and cyber security. In fact, there are now ERM tools that help facilitate collaboration among the various risk functions. The tools also provide visibility across functions. From a people standpoint, there may be an enterprise risk team or committee comprised of governance, risk, compliance and cyber security professionals.
The reason enterprise risk management is growing is because the scope of any risk tends not to remain limited to a particular risk function. For example, a supply chain issue could have financial and cyber security ramifications.
Digital transformation is also igniting interest in enterprise risk management because digital companies operate at a much faster speed than their analog counterparts which means that risks need to be managed more proactively and in real time.
Enterprise risk management also helps normalize the traditionally disparate approaches to quantifying risks. In a traditional setting, the various risk functions operate separately so there's no reason to share data. Each may use a different scale for measuring risks. They may also have different workflows and mechanisms in place for risk acceptance and mitigation. The result is that similar risks may be modeled and scored differently. And, because the various risk functions aren't sharing information with each other, there's no common data model.
Enterprise risk management helps remove the traditional friction created by siloed functions so the organization can manage risks more effectively. Point-in-time assessments are replaced by data-powered systems that are helping to identify and mitigate risks faster and more effectively.
However, realizing enterprise risk management isn't just about tooling. It requires a change management process that includes the various stakeholders like any other transformation process.