GRC Hot Buttons

A Defined and Accepted Risk

Organizational Risk is hard to define and often just as hard to accept. All too Often, Risks that do not aren't applicable to financial or other risks fail to reach leadership. Different methods of scoring, measuring, and/or categorizing risk can contribute to the inaccurate reporting or no reporting at all.

what to do: Make sure the definitions for risk and severity are agreed upon by the organization. There should be a primary risk management program incorporating all risk as there may be other programs that overlap with your primary.

All eggs in one basket

The range of available Governance, Risk, and Compliance tools are broad. Some practitioners focus on one tool to do it all. However, that my leave gaps and exposure. Enterprise tools and spreadsheets can both effectively provide positive outcomes if leveraged correctly. You can also have a robust GRC framework in place with a primary enterprise tool while still using a spreadsheet.

what to do: Use current tools for baselines, normalization, and establishing a GRC program first if possible. If you feel you need other tools, then you'll be better equipped to choose what is needed.

Regulations? which ones...

What regulations will impact your organization? HIPPA can take a back seat to state and local privacy laws if there's a data breach. This is especially true if they are more stringent than HIPPA. SOX? PCI-DSS, GDPR, and others may have different effects. It's not all cookie-cutters.

What to do: The regulatory process should be co-owned and documented by legal and compliance with clear lines of communication to IT and business.

Who's ultimately accountable

Someone has to pay the piper. Much like any project, GRC should have an executive champion. Leadership must be supportive and show support for Governance, Risk, and Compliance. Accountability rolls downhill from there to others, systems, applications, processes, to the raw data.

What to do: Support shouldn't just be given, it must be shown, and supported. Continuously driving GRC and security Initiatives from executives is key as they are ultimately accountable. Another key point, having metrics with a financial (Quantitative) impact analysis will is important.

Too many tools and sources

Regulatory tools, spreadsheets, and dashboards, can be overwhelming and confusing. Too much time may be spent and lost correlating and normalizing hundreds (if not more) data points. Keep it simple.

What to do: You know what needs to be worked, so focus on selecting the best tools for the most impact. It’s also best to work with your cross-functional, interdepartmental teams to gather insights and lighten the load from an information perspective. Business requirements are what drive you here.

Metrics for sound decision making

Create metrics along with your baselines to show where and how you’re improving. Are your efforts reducing risk, have they met compliance goals, initiatives? For example, a phishing campaign baseline should see improvement with your initiatives. Do you have the KPIs to back that up? What about key business questions (KBQs) and key risk indicators (KRIs).

What to do: Remember, when your review comes up, HR will likely use the SMART criteria to measure performance:

• Specific

• Measurable

• Attainable

• Relevant

• Time-bound

Take a page from that playbook and use SMART too. Use your KPIs or KBQs and top processes and apply SMART to each. Make sure they create business value and identify critical decision makers. Have measurable KRIs for these processes then orchestrate the monitoring and tracking of the relevant data.