First, welcome to our new weekly column. I am thrilled to have a way to share ideas about Governance Risk and Compliance to all our community. The objective of this effort is to give you a weekly article with a subject related to this matter that, hopefully will challenge your thinking and give you ideas about how to deal with this important set of functions.
Let’s start by defining that are we talking about. When we talk about Governance, Risk and Compliance (GRC), we need consider three things:
- A Strategy for managing the security Governance,
- A methodology for managing enterprise Risk, and
- A Framework to demonstrate compliance with industry or country regulations
Many benefits come with the implementation of a GRC strategy:
We can say that Governance, Risk and Compliance is the foundation for aligning the IT objectives with business objectives by performing effective risk management and considering the compliance requirements.
- The decision-making process will be improved
- Optimization of IT investment
- A holistic approach to risk, which allows a decision based on objectively measured risk.
- “One single voice” to employees, auditors and regulators.
- Supports collaboration across the organization and efficient efforts for activities.
- Efficient driving of activities, which ensures a lower cost for the organization.
- Changes on regulations will be handled in a much more effective and cost-driven way.
GRC is a term that originated during the 2000’s financial crisis. This crisis study determined that lack of appropriate controls and lack of proper auditing resulted in poor information to stakeholders and then in subsequent poor decision-making. The need for a model that involves the implementation of IT controls and proper auditing of such controls empowered the creation of frameworks that would see the risk in a holistic view and drive competent decision-making.
Frameworks like COSO®, COBIT® and ITIL® constitutes excellent bodies of knowledge for IT governance. Regarding to Risk, we can address NIST Cybersecurity Framework, Risk IT® from ISACA®, SANS® CSC-20 and, of course, ISO 31000 series. Compliance is defined for specific industry verticals or country/region regulations.
Over the next few columns, we will be analysing several frameworks for GRC and providing tips for compliance, tools and insights based on our experience in the field. Hope to have your feedback for constructing a better secured environment for all. Once again, thanks for your support to this effort.