Three Tips To Simplify Governance, Risk and Compliance

Three Tips To Simplify Governance, Risk and Compliance

Governance, Risk and Compliance

Businesses are under pressure to deliver against a backdrop of evolving regulations and security threats. In the face of such challenges they strive to perform better, be leaner, cut costs and be more efficient. Effective governance, risk and compliance (GRC) can help preserve the business’ corporate integrity and protect the brand, but in an ever-changing technology landscape and with complex, inter-related business operations to manage, implementing GRC can seem like a complex undertaking.

Many businesses still manage operations departmentally, with activities separated by business silos. This can make implementing policies and processes with pan-business reach seem difficult. GRC falls into this category – it has to span all business departments – but it doesn’t have to be such a headache.

Businesses can simplify GRC with these three tips:

1. Don’t boil the ocean

GRC covers a lot of ground – operational risk, compliance, cybersecurity, third party management, auditing and so on – and incorporates hundreds of rules and regulations, dozens of policies and scores of risk management activities.

The trick to simplification is to take it one step at a time; to not try and do everything at once. Anyone attempting to deploy an integrated solution for all GRC activities in one go is courting failure.

Instead, take on two or three activities to be prioritized within an integrated GRC program. A few simple questions about your business processes – how they work, how they can be more effective, and how they can be audited and monitored – will reveal where the priorities lie for efficient GRC.

Many companies start with internal auditing and Sarbanes-Oxley (SOX) compliance for financial reporting. Others with enterprise risk management or operational risk management; still others with IT compliance and policy management.

Developing common frameworks and taxonomies – which is a critical foundation for effective GRC – is simpler begun with two or three key activities. Over time, additional activities can be brought into an integrated GRC program.

2. Develop common frameworks and taxonomies

A valuable benefit of an integrated GRC solution is that different activities – risk management, compliance, auditing and so on – can share information. For this to work effectively, they need to conform to common taxonomies. As well as enabling collaboration, common taxonomies can help identify redundancies so that rationalization can take place. This keeps the system up to date and helps reduce the cost of control testing and risk assessments.

Policies and rules held within common frameworks give companies the control they need for rapid change when it comes about. It’s one thing to embed automation within systems so that, for example, payments over a certain authorization level get the required sign-off before they’re authorized, but what happens after a merger or acquisition? If all those rules are hardwired into individual systems, there’s a whole bunch of work to do to achieve consistency across merged companies. When the rules sit outside individual workflows they can trigger action inside. The set of these rules ‘libraries’ is qualified in the GRC system.

3. Use pre-packaged cloud-based applications

Most vendors offer both on premise and cloud-based application – Going with the cloud relieves the business’ IT infrastructure from supporting the GRC solution. GRC in the cloud helps consign manual processes to the past. Furthermore, future upgrades are simpler with pre-packaged solutions that haven’t been customized.

The cloud approach also ensures that you are set up for real-time Content Integration such as Regulatory Change Management. This is important because GRC is not only about systems and tools but it is also about staying abreast and ahead of the regulatory landscape that is constantly evolving.

Risk and regulation is always evolving. The way businesses manage it cannot stand still either. The future of GRC lies in automation, integrated reporting and a culture of compliance. By heeding the three tips for simpler GRC, businesses can help mitigate risk, minimize compliance firefighting and smoothly manage change wherever it may come from to drive better business performance.

By Vidya Phalke

About Vidya Phalke

Vidya Phalke is responsible for MetricStream's technical architecture and strategy. Prior to being promoted to the CTO position, Vidya served as Vice President of Product Management and Engineering where he was responsible for MetricStream's Software Products and Platform Delivery. Starting with MetricStream in 2003, Vidya has been instrumental in developing an industry-leading GRC software platform. Before joining the software industry, Vidya earned a PhD in Computer Science from Rutgers University, where he won two Small Business Innovation Research grants for his research on databases and network optimization.

View All Articles

Sorry, comments are closed for this post.

Comics
Three Tips To Simplify Governance, Risk and Compliance

Three Tips To Simplify Governance, Risk and Compliance

Governance, Risk and Compliance Businesses are under pressure to deliver against a backdrop of evolving regulations and security threats. In the face of such challenges they strive to perform better, be leaner, cut costs and be more efficient. Effective governance, risk and compliance (GRC) can help preserve the business’ corporate integrity and protect the brand,…

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Staying on Top of Your Infrastructure-as-a-Service Security Responsibilities

Infrastructure-as-a-Service Security It’s no secret many organizations rely on popular cloud providers like Amazon and Microsoft for access to computing infrastructure. The many perks of cloud services, such as the ability to quickly scale resources without the upfront cost of buying physical servers, have helped build a multibillion-dollar cloud industry that continues to grow each…

What the Dyn DDoS Attacks Taught Us About Cloud-Only EFSS

What the Dyn DDoS Attacks Taught Us About Cloud-Only EFSS

DDoS Attacks October 21st, 2016 went into the annals of Internet history for the large scale Distributed Denial of Service (DDoS) attacks that made popular Internet properties like Twitter, SoundCloud, Spotify and Box inaccessible to many users in the US. The DDoS attack happened in three waves targeting DNS service provider Dyn, resulting in a total of about…

Why Security Practitioners Need To Apply The 80-20 Rules To Data Security

Why Security Practitioners Need To Apply The 80-20 Rules To Data Security

The 80-20 Rule For Security Practitioners  Everyday we learn about yet another egregious data security breach, exposure of customer data or misuse of data. It begs the question why in this 21st century, as a security industry we cannot seem to secure our most valuable data assets when technology has surpassed our expectations in other regards.…

2017 Brings DLP Technology and IoT’s Weaknesses to Light

2017 Brings DLP Technology and IoT’s Weaknesses to Light

DLP Technology In regards to data loss prevention (DLP), in the last five years many companies rushed to implement DLP solutions without taking the time to first identify the data that should not transit egress points. Most of these rushed implementations have not been successful. Security analysts, in particular 451 Research, have been recommending that…

The Five Rules of Security and Compliance in the Public Cloud Era

The Five Rules of Security and Compliance in the Public Cloud Era

Security and Compliance  With technology at the heart of businesses today, IT systems and data are being targeted by criminals, competitors and even foreign governments. Every day, we hear about how another retailer, bank or Internet company has been hacked and private information of customers or employees stolen. Governments and oversight organizations are responding to…

Cloud Native Trends Picking Up – Legacy Security Losing Ground

Cloud Native Trends Picking Up – Legacy Security Losing Ground

Cloud Native Trends Once upon a time, only a select few companies like Google and Salesforce possessed the knowledge and expertise to operate efficient cloud infrastructure and applications. Organizations patronizing those companies benefitted with apps that offered new benefits in flexibility, scalability and cost effectiveness. These days, the sharp division between cloud and on-premises infrastructure…