Anil R Talks on Governance, Risk and Compliance
Governance, Risk and Compliance (GRC) brings together the management of overall governing strategies, risk mitigation, and compliance processes. GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity.GRC as an acronym denotes GOVERNANCE, RISK, and COMPLIANCE — but the full story of GRC is so much more than these three words
For successful & Effective GRC implementation, a single framework of the GRC program should be there in the organization that must include:
1. Centralized repository of approved policies, procedures, Standard and Guidelines with version control, data classification (Public/Private/Confidential/Operational) and policy owner defined.
2. Combines data between multiple departments, including business, HR, IT security, compliance, and auditing.
3. Includes a list of all the regulatory, Contractual and other compliance requirements.
4. Risk analysis, risk assessments, risk register, loss and incident database risk tolerance and treatment.
5. Requirement management, control testing, findings and exceptions & evidence management
6. Presents relevant reports to the board and senior management.
7. Proper and formal Information Security awareness training and advertisement to change the organisation culture for compliance.
8. Top-Down Governance Approach.
Effective GRC implementation Challenges:
Because each organization is unique, there is no single approach towards implementing an effective GRC framework. There are several common challenges businesses face when it comes to developing and implementing an effective GRC strategy.
1. IT governance, risk management discipline, information security policy and legal compliance requirements all place a burden on companies to ensure their governance, risk and compliance (GRC) policies protect customers, staff and stakeholders.
2. Reducing risks in low budget becoming a key challenge for businesses, especially when the number of cyber-attacks keeps on rising.
3. Small businesses &government organizations face the same threats as large corporations, and have the same duty of care to achieve compliance. Unfortunately, many businesses – both big and small - don’t have sufficient technology automation or processes to prevent attacks.
4. GRC systems and software are often seen as too expensive and not relevant enough, especially for smaller organizations.
5. No single vision, no compliance culture: The inherent culture within the majority of organization is one of silos, where each function or business unit has its own information, its own processes and its own set of compliance regulations to meet. This makes developing an effective GRC framework difficult, as there is no single approach to GRC embedded within the culture of the organization. Every business unit has its own objectives within the main organizational strategy, but the fact is everyone needs to achieve the same objective. However, the processes used to achieve this are different across business units, which may lead to a mismatch at different levels regarding the overarching business objectives.
6. not a Top-Down Governance culture:
Governance culture needs to come from the highest level and then filter down through the organization if it is to have any chance of being successful. The simple truth is that if the highest-level executives do not take compliance and risk management seriously then nobody else will. Communication is vital to achieve buy-in through out the organization, and once again, this communication needs to come from the top, and be delivered to all stakeholders, both internal and external.
Changing the mindset of people cannot happen overnight. It is an ongoing process that involves developing a roadmap and appropriate processes; having the right technology; educating and training people; and having the board of directors setting an example that filters down to the rest of the organization to follow.
Automating GRC systems is an effective way to implement a robust information security management system in low budget. Senior management and those legally responsible for organization can spend more time leading growth, instead of worrying about compliance and data security. Everyone benefits from an automated compliance but there are challenges.
IT security systems won’t automate themselves. Before writing a new IT security policy or buying new software, we should analyse the people and current processes, need to check how staff currently manage and treat sensitive data (e.g. customer, financial and company sensitive data)? How many vulnerabilities are there? How these vulnerabilities can be exploited? data protection procedures and existing internal controls.
Implementing an automated GRC system means following steps at least:
1. Define what matters. Does this mean protecting data? Complying with regulatory requirement? Keeping insurance costs low, or reducing the amount of time spent doing admin work?
2. Risks Identification: Do the risk assessment and find out vulnerabilities in current processes and systems.
3. Design a plan. Put together a plan that brings together the people who interact with security on different levels (e.g. lines of business, HR, finance, physical security, legal, business continuity, IT and of course information security), so that it covers every aspect of the business.
4. Start small, focusing on key processes. Creating a GRC roadmap isn’t easy. It does take time. Essential starting processes includes: policy framework; controls framework (start with an industry standard such as ISO27001 or NIST 800-53); risk management; exceptions management; asset management.
5. Continuous monitoring, review and improvement: GRC automation should be a proactive approach, instead of relying on reactive models. Constant monitoring and review is a lower price to pay than fines, damaged reputation and lost customers.
6. There must be involvement of everyone who influences or is involved with data security, including front-line staff.
One thing is certain –We never can ignore risk and compliance. Government regulators will continue to force through tighter regulation. Client/Customer/ stakeholder are requiring stronger controls within their relationships. The globalization of business introduces significant risk with more points of vulnerability and exposure to the organization.
AddThis Sharing Buttons
Share to TwitterShare to FacebookShare to LinkedInShare to Google+