After OCEG (originally Open Compliance and Ethics Group) GRC is the integrated set of skills that enables an organization to confidently achieve goals, manage uncertainty, and act with integrity.
GRC by definition encompasses the work of departments such as internal audit, compliance, risk, legal, finance, IT, human resources, as well as the business units, senior management and the board of directors itself. risk assessment has always existed, as has corporate governance and the pursuit of compliance. However, the approach of bringing all these aspects together with IT support, interlocking them and automating them as much as possible based on standardization is relatively new.
This type of business strategy requires a top-down governance approach, led by senior management, that empowers and also encourages all employees to identify and report potential risks or vulnerabilities. Features of a functional governance model include:
Collaboration among all members of the leadership team to underline the need for a GRC initiative.
Risk awareness and allocation of resources to mitigate those risks.
An information security executive that can act as a control authority for other departments such as IT, risk management, and compliance.
A culture that rewards, not punishes, behavior to protect data and information.
Risk management encompasses the tactical, day-to-day, practical processes for mitigating risks and vulnerabilities. The aim is to identify and respond to risks and weaknesses at an early stage. A very important aspect is prioritization to ensure that the greatest risks are adequately addressed. It also uses predefined action plans and workflows to normalize and automate risk remediation.
While governance represents the strategic level, compliance is about complying with specific regulations, be it industry standards such as PCI-DSS (Standard for data security in the payment card industry) or legal rules such as the GDPR. This also includes internal company standards. The first thing to do here is to define the governance frameworks that make the most sense for the company based on the governance strategy. Also required is an OCM (Organizational Change Management) framework that supports – and also documents structural or operational adjustments based on these frameworks.
Even though the comprehensive IT support is a necessary precondition for GRC, it is important to separate and look at the organizational and technical levels separately. GRC is not only an issue for KRITIS or listed companies, but simply because of compliance for almost any organization. However, in many organizations, existing control and management systems are not sufficiently automated and integrated to actually realize their full potential. In the context of GRC initiatives, it therefore seems advisable to modernize, merge and make such systems more efficient with appropriate IT support. However, there are significant differences in the level of GRC maturity of each company, and it is especially important to base GRC initiatives on the individual situation.
Manual GRC processes based on spreadsheets can still be found in many companies. The attempt to implement a fully integrated and automated GRC with integrated risk management (IRM) in one fell swoop will fail due to the lack of organizational requirements. Here, an approach is recommended where technical and organizational changes are made in line with the technical innovations that support the organizational innovations.
The first step is therefore a precisely defined use case and the exclusive involvement of the departments directly dealing with compliance and risk management. In this way, a real-world test environment can be created in which the first automation steps are included, for example by integrating the existing Excel sheets into a Sharepoint solution. In such a solution, workflows can already be defined and centrally managed policies can be integrated. Such a solution, usually implemented bottom-up, can be found in most companies today – many have yet to take the next step.
Ideally, this will consist of a top-down approach in which one or two further use cases are integrated and the user group is expanded to include the owners of processes and risks. Both the new use cases and the new users can then benefit from the experiences of the first phase and reflect the resulting organizational changes. In such a GRC environment, there is usually not continuous monitoring; however, this is the right time to provide management with the first visibility tools; for example in the form of dashboards. They are clearly structured, increase transparency and clearly express added value.
The integration of processes across functions is central to the third phase, in which further use cases are also integrated if necessary. This supports the basic idea of close collaboration between all functions and levels, which is so important for GRC initiatives. Administrative effort can also be significantly reduced by increasing automation, even across functional boundaries. Ideally, this phase also includes the transition to real-time monitoring of performance and risk scores.
The final step is the optimization and extension of the GRC framework to the entire company. Continuous risk assessment now works across all platforms and enables a risk-based approach to business management.
Reading tip: Stakeholder Analysis – How to identify project participants
When implementing GRC initiatives, it is essential for internal and external consultants to first analyze the current situation – for example using this phase model – and define focus topics, goals and priorities to gradually achieve more efficient GRC processes. Innovations that have the most effect with the least effort should have the highest priority and that help, among other things, to convince the various stakeholders at an early stage and to get them involved.
IT security is of particular importance to any GRC initiative – there are significant overlaps in risk management and compliance. On the one hand GRC benefits from improved security systems, on the other hand the introduction of clear processes in all areas of GRC itself will also contribute to improved security systems.
The close connection between GRC and IT security becomes very apparent when it comes to compliance. In many cases, minimum IT security standards are required by law and the security teams must support these standards. Today this is only possible through close interaction. Because a purely technical implementation of requirements without integrating security into the entire GRC process will not lead to the desired result.
Risk management is also closely intertwined with IT security, as IT vulnerabilities and security gaps pose huge risks to the entire business today. Each IT risk can also be relatively clearly assigned to one or more business risks, be it image problems, fines, data loss or the failure of important IT systems and the associated loss of productivity. Integrating IT risk management into comprehensive GRC initiatives is therefore an absolute necessity.
It is clear that a comprehensive GRC framework cannot do without tool support. There is not one complete GRC system, but a large number of GRC tools for individual applications, such as:
GRC tools integrate compliance with normal business processes such as emergency access control, periodic risk assessment, role management, and user provisioning. GRC tools reduce the risk of malicious activity or fraud and streamline routine audit and compliance processes in core software such as enterprise resource planning (ERP) systems.
Typically, GRC tools standardize and coordinate controls and policies. They provide a common user interface and a common repository for data collected from questionnaires, documents, and other IT and security compliance systems, as well as information that covers both internal and legal requirements.
Since a fully integrated solution is the ultimate goal of all GRC initiatives, the different tools should not be used separately and thus again in silos, but build on a common platform that supports all tools and ensures central management and unified policies. In this way, the tool support provides an integrated management system for GRC, enabling GRC to fulfill its role as a control and management system for the entire company. (adv)
Reading tip: Cybercrime as a service – a hack on the dark web is so cheap