Enterprise risks and regulations are increasing exponentially. According to several industry experts, an upsurge in enforcement and fines from data protection breaches and non-compliance is expected in 2019.

Consumer class-actions for data infringements, along with the launch of the General Data Protection Regulation (GDPR) in 2018, will intensify attention on data protection compliance and governance.

It makes sense that, as progressively complex risks and regulations emerge, many organizations are pursuing a fully integrated Governance, Risk, and Compliance (GRC) program to assess and manage their risk profile.

Here, we will explore the benefits of pursuing an integrated GRC holistic, seven challenges to that goal with questions to ask if seeking outside support in program development and integration.

What should be the objectives of my organization’s GRC program?

Your GRC program should align strategy, processes, technology, and people to provide compliance oversight, as well as ongoing management and response to various types of risk.

A mature, fully integrated GRC program has the following qualities:

  1. Provides management visibility into the current IT risk and compliance posture and trends
  2. Implements consistent and sustainable operational processes, including remediation and security gap assessments
  3. Assesses and manages risks and controls across the enterprise via consistent, accessible analytics
  4. Offers an integrated requirements library (IRL) that aligns to applicable external compliance sources
  5. Documents and maintains IT policies and standards based on leading industry practices
  6. Track and monitor strategic performance via a comprehensive view of risk and compliance goals, challenges, and progress
  7. Make GRC-informed decisions related to enterprise development, procurement, and investments.

What are the benefits of an integrated, mature GRC program?

A mature, enterprise-wide GRC program should achieve three objectives:

Enhanced risk posture: indicated by lower cost of capital and insurance premiums

Effective risk treatment: signified by risk avoidance and effective, quick risk remediation

Consistent compliance: denoted by reduced audit, compliance, and regulatory findings, as well as lawsuits

What challenges must an organization overcome to have an effective, integrated GRC program?

Challenge 1: Achieving Cross-functional, Enterprise-wide Collaboration

Significant cross-functional collaboration is required to scope a full GRC implementation.

The following areas must be aligned and share resources, data, and technology:

  • business continuity
  • audit management
  • policy management
  • risk management
  • compliance management
  • issues management
  • third-party management
  • threat management

For example, teams must share applications or modules like issues management. They need to have the same required fields, data format, etc.

Challenge #2: Implementing with a Mature Program

Many organizations attempt to utilize “out-of-the-box” functionality of their GRC management platforms, wanting to minimize customization. However, this can cause significant issues as GRC management applications are not designed for your industry (e.g., healthcare or banking) or organizational focus (e.g., solely selling online internationally vs. regional consumer services company).

Other organizations attempt to implement a GRC management platform at a time when their current-state GRC processes are not mature enough.

For example, many companies don’t have mature risk management processes, yet they implement a GRC solution with the expectation that the tool will fix their process-related issues.

It is our view that the process should always drive technology and not the opposite.

Challenge #3: Managing Enterprise Change

Every major initiative, especially one that affects the entire enterprise like GRC, requires proactive and thoughtful change management. GRC program development is no different.

Because many GRC implementations are spearheaded by individuals within middle management, top-down buy-in and enforcement are critical to ensure commitment and success.

Lack of coordination and cooperation is common among GRC implementations. Executive commitment through strategic champions and education is key, as well as training for all key stakeholders and user groups, including:

  • Application training for each implemented module
  • New process training
  • New user/role training
  • Reporting/dashboard training

Challenge #4: Ensuring Data Integrity

GRC implementations require complete, accurate, and consistent data to add value to the enterprise. Many organizations do not take the time to “scrub” their data before migrating into a GRC solution.

Areas to review and inspect your data sources include:

  • Configuration Management Database (CMDB)
  • Third party vendors
  • Policies
  • Standards
  • Procedures
  • Controls
  • Risks
  • Findings

Challenge #5: Securing Adequate Investment

Full-scale GRC implementations can cost several millions of dollars, especially if performed holistically as we recommend. Be sure to assess and budget for various costs like platform costs, configuration costs, consultant fees, process redesign fees, and architecture support fees.

Challenge #6: Overcoming Phased or Siloed Implementations

Given the significant level of effort, planning, collaboration, and cost entailed in a GRC program and platform implementation, many organizations, erroneously, decide to implement GRC platforms in phases or silos.

Implementing in silos or phases defeats the purpose of an integrated GRC program. Many of the benefits of collaboration are lost or require rework as the implementation moves from phase-to-phase.

Many organizations use outside assistance to close gaps and challenges, including their lack of experience with the GRC solution, lack of general GRC experience, or limited resources and time to manage a full-scale GRC program or platform implementation.

If each silo or phase utilizes different outside firms, everything takes more – cost, rework, timelines, etc. Plus, the program is not able to achieve seamless integration when each phase, silo, or consulting approach varies too much. It causes problems for future implementations, enhancements, and maintenance efforts.

Challenge #7: Taking a Reactive vs. Proactive Approach

Unfortunately, many organizations don’t begin their GRC management journey until they are required to respond to negative regulatory or audit findings or fines. When forced to take on GRC, an organization has less time and flexibility, and they lose the power of cross-functional collaboration.

A well-implemented GRC program and platform provides increasing value to an organization year-over-year when it is implemented and managed with forethought. As you plan your next level of GRC program maturity, keep these qualities and challenges top of mind.

Contact Us

Luke Wawrzeniak, Manager

Luke is a cybersecurity consulting professional with extensive experience developing and implementing Governance, Risk, and Compliance Management strategies and project execution.

He has helped clients mitigate regulatory and audit findings by achieving compliance with the following frameworks: NIST, ISO 27001, HIPAA, PCI, SOC2, and HITRUST.