GRC Part 1: Informed Decision Making

Governance, Risk and Compliance can be a challenging area for CIOs and CISOs to navigate. With the board of directors and C-suite as key stakeholders, the ability to deliver results through the complex GRC environment is now more critical than ever.
What has your GRC done for you lately?
Let's look at an example of a typical month for the CIO and CISO. Due to publicity of recent data breaches in the industry, you are scheduled to deliver an Information Security update at the next Audit Committee meeting.
1. The annual IT security risk assessment is complete and the results have been presented. The external risk consultants worked with internal teams to identify risks and weaknesses. You have captured the high points for the Audit Committee presentation.
2. You plan to make sure the enterprise risk register is up-to-date with findings, remembering to check in with the SOX and PCI teams. What is the status of PCI 3.0 readiness?
3. Next is a conversation with the PMO. Will the IT GRC system upgrade be completed on time?
4. What about an update from the cybersecurity teams?
5. At a meeting with the VP of Internal Audit and other department heads, the conversation centers on the difficulty in managing audit issues and remediation across Finance, IT, and the rest of the business. Which integrated audit proposal offers the best solution?
6. At the same meeting, the Chief Risk Officer asks, "What is our most vulnerable software? Where do we stand with remediation?" These are important questions to consider. Will these come up at the Audit Committee meeting?
Long-gone are the days when risk and compliance programs were managed using spreadsheets. GRC has grown in a way that IT, Finance, Legal, and key disciplines (Healthcare, etc.) often have their own GRC systems and processes. With constantly changing regulations, new requirements and features, and crushing amounts of data, it's time for an effective plan.
Getting down to business with GRC
Balancing risk and reward are at the core of informed decision-making and effective GRC. As the company seeks to take advantage of opportunities, GRC is an integrated approach to managing risks.
1. Governance - Rules of the road that provide the basis for how the company is managed. This includes policies, instructions, and operating practices that inform the company culture and direct its institutions. Effective governance defines key accountabilities and decision making.
2. Risk Management - The systematic set of practices to identify, analyze, and address risks across major disciplines: markets, credit, and operations.
3. Compliance - The coordinated actions demonstrating adherence to internal policies and external laws and regulations.
Authors and researchers Peter Weill and Jeanne W. Ross make the case for solid governance practices that can increase market valuation. Good corporate governance is important to professional investors. Major institutions rank corporate governance on par with the firm's financial indicators when evaluating investment decisions.
Consequences for lack of strong corporate governance practices are potential regulatory fines, negative public perception, and lower financial returns. Corporate scandals such as Enron demonstrate the worst scenarios.
Realizing the potential of GRC
Requiring time and resources to get right, an effective GRC enables business growth, resiliency, and value preservation. Realizing the potential of GRC is based on a number of factors. IT is a key enabler of GRC due to its unique capabilities:
1. Technology Risk Management - IT GRC is specialized and frequently requires a targeted solution. IT governance will have a critical view of systems, data, and sources of risk. This includes technology managed internally and through third parties.
2. Integrated Solutions - As a solution provider, IT can guide the organization to the right GRC systems and solutions spanning Finance, Legal, Healthcare, etc. Implementing stand-alone and enterprise GRC solutions requires architecture, process, systems, integration, and operational capabilities.
3. Big Data - Managing large amounts consumed by GRC is demanding. Big Data solutions are vital for risk-based decision support at the executive level.
Creating a GRC capability that enables informed decision-making requires partnering and a strategy aimed at the executive level. An effective plan over time by the CIO and CISO puts GRC on track as an effective business tool for IT and the entire enterprise.
This is Part 1 of a series of articles aimed at examining the strategy and practices to ensure that GRC delivers value for the organization. Stay tuned for GRC Part 2: Aligning Business and IT Goals.

Rate this article: 
Average: 2.6 (9 votes)
Article category: 

There is 1 Comment

Making risk visible is critical to managing it. Relying on audit to determine the efficacy of controls is not working. Unless controls are automatically and continuosly monitored in near real-time to produce a real time risk picture, GRC tools will remain fancy reporting tools and not actually help managing risk.