Today, organizations are facing many challenges – such as rapid digital transformation and a growing number of risks (reputational, operational, compliance, cloud, …); new technologies and concepts (cloud computing, blockchain, AI, BYOD, work from anywhere) that increase the attack surface and make data replicated to multiple locations; rising cost of global compliance; lack of staff mastery new tools and understanding their roles in security; growing number of regulation and their evolution (PCI-DSS, GDPR, NIS, NIS v2,…). This clearly impacts how people work and it is difficult to keep track of an efficient risk and compliance process – considering that you have one in place.
In my previous articles I explained what ISO27005 is, a framework for risk management. I also talked about a method for identifying, evaluating, and treating risks: Ebios Risk Manager. In today’s article, I’ll talk about a technology that will help you manage your risks, but also your governance and compliance.
What is GRC?
A risk is a probability that a threat will exploit a vulnerability causing harm to your organization. What we’re all worried about is the risk of something falling through the cracks. The risk that you miss something. For example, what if:
- you fail to notice a code change wasn’t approved before it was implemented
- personal data was transmitted improperly
- during onboarding, people aren’t watching the privacy or awareness to cybersecurity training videos
- your vendors aren’t maintaining the level of security they should
GRC refers to an integrated suite of features for implementing and managing your information security program. It assesses whether controls have been deployed and are functioning correctly. By this GRC improves risk assessment and mitigation, simplifies auditing process, executes workflows, and monitors KPIs and objectives.
GRC is not only a technical solution, but a structured approach aligning IT with business objectives, effectively managing risk and meeting compliance requirements, across your entire organization.
The three main components of GRC are:
- Governance: the rules or policies by which an organization is governed (oversight)
- Risk: making sure that any risk or opportunity associated with organizational activities is identified and addressed in a way that supports the organization’s business goals. In an IT context, this means having a comprehensive IT risk management process that rolls into an organization’s enterprise risk management function
- Compliance: ensuring that all organizational activities are operated in a way that meets the law and regulations. In an IT context, this means making sure that IT systems and data contained in those systems are used and secured properly
But GRC goes far beyond just governance, risk and compliance. It also includes assurance and performance management.
The evolution of GRC over time
In the past, GRC was compliance driven. It assumed that if you were compliant against a regulation, risks where addressed. Nowadays, GRC solutions have evolved and included Integrated Risk Management features. This is a real culture change. Now GRC is more risk driven, and process and business oriented. It means you need to understand the risk your organization is facing.
What are the benefits?
GRC is necessary for all organizations – from public to private, and from small to large. An efficient GRC strategy will bring you many benefits, including (but not limited to!):
- Real-time visibility and prioritization: dynamic dashboards and reporting capabilities. Senior management gets real time insights into your operational activities, risk and compliance posture and audit activities – improving their decision-making
- Remove redundant processes and tasks: reduce costs and increase performance
- Automation and artificial intelligence (for the latest solution): reduce the need for manual data entry. The tool is dynamic, and can help you to track your obligations, to flag compliance gaps, automate action supported by flexible workflows. Automation helps also to increase your team’s productivity, and eliminate the likelihood of human errors
- Elimination of siloes: reduce fragmentation among divisions and departments, and increase communication and collaboration between all stakeholders
- Transparency, efficiency & accountability: unlike spreadsheets GRC eases collaboration within the platform for all parties involved, enhances project’s management capabilities, integrates task management to track compliance activities, sets deadlines and monitors activity in auditable format
- Data & security: the tool is more secure than excels saved to multiple user’s computers at a time (which gives you a headache to validate the most up-to-date information and opens-up multiple channels of vulnerabilities)
- Allow customization: customizable approach to identify, measure, remediate risks across the business while ensuring compliance with internal rules and external regulations. Individualized analytical grids, custom fields, and custom views
- Cost optimization: reduce compliance costs and eliminate the worry of managing regulatory requirements
- Centralization: effectively manage your various risks and have a more complete view of your organization’s business processes
- Performance: define KPIs that show effectiveness of organization’s efforts
- Consistency: align IT activities to support and enable your organization’s strategic objectives
Of course, a successful implementation requires executive leadership and cultural changes.
What about pricing?
A legacy solution can be costly, running up to seven figures. They can work perfectly for large organizations but be inaccessible for smaller organizations. Cloud based technologies change the equation. The GRC solution is available under the SaaS model. The advantage is simple: the organization can start with a smaller scope and grow later, continuously improving. The costs begin at three figures per month. It thus becomes even accessible for smaller organization.
eGRC market
eGRC resembles GRC, but at enterprise level. It also refers to how an enterprise addresses governance, manages risk and ensures compliance companywide. So encompassing IT security, covering also enterprise operational and financial risks.
Gartner magic quadrant
At Devoteam we can help you thanks to our expertise in risk management and GRC technologies. Read more about our cybersecurity approach.