Nemi George, Senior Director of Information Security & Service Operations, Pacific Dental Services
The three tenets of Governance, Risk, and Compliance Management (GRC) incorporate information technology in order to manage the numerous operational processes within an organization (Rasmussen, 2018). Governance consists of the culture, processes, and policies that form the foundation of an organization (Rasmussen, 2018). A GRC program can support the governance of organizational policy through the assessment and remediation of technical and non-technical controls (Johnson, 2015). Risk management is the coordinated effort to forecast and evaluate the impact of various risks to an organization. A GRC program contributes to the risk management effort through quantification, analysis, and the mitigation of risk within an organization (Johnson, 2015). Compliance is the act of adhering to standards that ensure the integrity and confidentiality of organizational processes. These controls and their exceptions can be mapped to regulations that govern certain compliance standards (Johnson, 2015).
Benefits of GRC Technology
The benefits of implementing a GRC tool are huge as organizations are increasingly required to be compliant with multiple industry and regulatory standards such as GDPR, HIPAA, PCI-DSS, etc. A well implemented GRC solution acts a single pane of glass and offers empirical insights into the Information Security; Enterprise Risk Management including third party and vendor risk management. Simply put, ‘’an effective GRC program takes your Information Security program from the war room to the board room’’. It communicates very technical and often complex aspects of information security such as threats, vulnerability assessments, penetration tests, cyber security incident responses and implementation of controls in simple easy to understand business language and in a format that is largely understood by senior management and executive teams across multiple organizations.
Core GRC Features
Several GRC tools boast a laundry list of features and unique selling points, but there are a few features that should be prioritized above others. Integration with core business systems such as a vendor management system, IT service management system and contract lifecycle management system; asset discovery of critical business assets; assessments should be based on consolidated standards and frameworks; operational (practitioner) and management (executive) dashboard; and ability to customize risk assessment methodology.
Challenges with Implementation
The implementation of a GRC solution is not without objection. Challenges such as attaining buy-in from executive management, lack of focus on the underlying business need, and process change are all common setbacks.
Threat-driven methodologies are technical in nature and allot for a broad interpretation of the results of threat- vulnerability pairs
For instance, a lack of involvement among stakeholders often results in lower adoption rates and hinders the overall success. Some organizations err in focusing on elaborate features rather than understanding their core business requirements and evaluating GRC software functionality for alignment and strategic fit. Consequently, this often results in missed opportunities for improvement as the realization of the underlying business is discovered in the post-implementation phase, resulting in poor implementation and other setbacks. Furthermore, it is important to note that while GRC is practical for the generation of a comprehensive framework for managing risk and improving performance, it is not a replacement for internal control or compliance testing.
The success of any GRC implementation is based on four phases and the selection of a proper methodology and risk scoring system. The GRC lifecycle can be divided into four phases: chartering, configuration, implementation, and post-implementation. During the chartering phase, it is determined that there is a need for a GRC solution to improve their preexisting control frameworks. During the configuration phase, it is important to be able to integrate and map multiple control frameworks and standards into the GRC tool, allowing tailored compliance reporting, statements of applicability and a centralized dashboard. System problems are addressed in an effort to ensure stability, securing the availability of data and interoperation with other systems during the implementation phase. The post-implementation phase harmonizes control and audit functions in order to address emerging and reoccurring issues.
There are two standard methodologies to choose from when implementing a GRC program: top-down versus bottom-up and business criticality versus threat driven (Rsam, 2015). Atop-down methodology is more appropriate for organizations where there is a predominant focus on executive level reporting (Rsam, 2015). This methodology gathers risk factors associated with core business assets within the organization, and how business processes will be impacted in the event that assets become unavailable or otherwise compromised (Rsam, 2015). Appropriate controls are derived from these risk factors in order to determine the residual risk for organizational assets (Rsam, 2015). Bottom-down methodology is pertinent to information technology-centric use cases that focus on controls, vulnerabilities, and threats (Rsam, 2015).
Threat-driven methodologies works well with identifiable targets such as applications, servers, and vendors (Rsam, 2015) and deliver data on threat-vulnerability pairs that correlate to the impact levels of a given asset; corresponding controls are evaluated to determine the likelihood of it being a consistent threat. Threat-driven methodologies are technical in nature and allot for a broad interpretation of the results of threat-vulnerability pairs. In contrast, business-criticality methodologies are less complex and highly scalable.
Risk Scoring System
A risk scoring system conducts comparisons of different threats and provides a metric for prioritizing risks, remediation efforts, and control allocation. Scoring can be categorized as either qualitative or quantitative. The risk scoring system may be derived from mandates of commonly-accepted security frameworks such as ISO, HIPAA, and PCI or can be an internal proprietary risk methodology.
GRC programs align business process with risk management in an effort to reduce complexity and inconsistencies. A successful GRC implementation is not without potential roadblocks. Obstacles to implementation, such as attaining management support, lack of competent resources, and process change setbacks, can be mitigated by a structured change management system. Additionally, establishing an enterprise risk management methodology suited to the organization is critical for success. The implementation of a successful GRC program will aid in gaining insight into the internal and external risks associated with business performance optimization, leading to the increase of efficiency, cost reductions, and improvements of overall risk posture (Rsam, 2015).