As you may be aware GRC stands for Governance, Risk and Compliance. Enabling GRC Function was first introduced by OCEG (Open Compliance and Ethics Group) around 2003 to define an organization’s internal collection of capabilities that enables an organization to reliably achieve business objectives as laid by board and executive management, by addressing working environment uncertainties with GRC processes, and tightly binding them with integrity, within the execution of a GRC functions. Over time, this GRC idea matures and OCEG first publishes GRC Capability Model in their 2005 OCEG Red Book. Since then, there were multiple revisions of this GRC standard practice with the involvement of hundreds of OCEG community members and organizations and key Risk and Governance professionals. Currently in 2022 a well-established GRC model found in the Revision 3 of OCED Red Book [1]. That was the history part of GRC. Now let us investigate the functions of GRC and how it enables organizations to accomplish its vision and mission.
A GRC function is an integrated collection of different capabilities focused on managing risks and non-compliance of all your business operations. In modern times, GRC function is sometimes referred to as Integrated Risk Management or Integrated Compliance or Integrated GRC. There is nothing in the name. The functions that need to be performed remain the same.
A well-established GRC Function’s Capability Model, establishes a core standard to manage, predict and detect the deviations of organization’s key processes associated with mission and vision accomplishment from mismanagement, identifying risk at an early stage, and by catching the non-compliance from prescribed organizational policies, standards, procedures, and applicable regulations (local to international). A right mixture of these three sub-function processes, namely Governance, Risk and Compliance are performed continuously and repeatedly, to identify any breakaway processes, procedural deviations and out of bound risks, earlier in the process lifecycle, thus giving management a chance to correct the risky situations/behaviors and non-compliant processes and situations, back into compliance in a timely fashion, before it starts to hurt the business.
A GRC function is an integrated collection of different capabilities focused on managing risks and non-compliance of all your business operations.
As the GRC process is continuously repeated, one could best visualize it as a sheep-herding dog, whose job is to get any sheep who tries to break the norm of venturing outside of the comfort of the flock, back into the flock. Just imagine humans herding a large herd of sheep without sheep-herding-dogs and then visualize the difficulties. GRC categorically is doing the work of a sheep herding dog. The GRC processes would bring the risky and non-compliant functions within the business for the Governance of those out-of-bound processes and functions in a timely fashion in front of Stakeholders, Management and Board, thereby giving them a chance to govern and get them back into acceptable norms and help focus the business back on track for the business mission and vision accomplishment. A properly defined, fully implemented GRC function can help your organization to materialize multiple benefits. Top 10 of those GRC benefits identified and listed below in no order of importance. As a Pareto Principle [2], 80% of the readers, practicing GRC professionals and management will agree that the below identified GRC benefits are the values their organization is getting from their respective GRC function, but they may prioritize these with a little different priority.
An Empowered GRC Function Is a Business Enabler.
A properly defined, fully implemented GRC function helps your enterprise materialize multiple benefits. Top ten GRC benefits listed below in no specific priority:
1. Saves revenue by reducing non-compliance costs and fines from external regulatory organizations.
2. Reduce execution time & costs to meet regulatory requirements by automation and by streamlined business practices & procedures. This in turn adds to the above point of saving revenue.
3. Makes an enterprise agile to re-prioritize priorities at last-minute, without getting into non-compliance challenges or business exposure to higher risks.
4. Reforms enterprises towards an “enabler environment” with corporate wide enforcement of uniform Compliance and Risk Mitigation processes.
5. Improves overall business strategic decision-making capabilities by providing decision makers with quality information at the right time.
6. Enforces local, state, federal, and/or any specific regulations governing special business verticals.
7. Enhances business units to independently excel in the closure of non-compliance findings and mitigating the risks leading to positive enablement of enterprise mission and vision.
8. Increases workforce risk & compliance awareness because of GRC enabled enterprise processes.
9. Boosts customer & shareholder confidence by enabling enterprises to corporate compliant citizenship. This will save them from non-compliance image that could be used by their competitors in marketing propagandas. This will lead to increased customer trust and enhance shareholder value.
10. Promotes a unified internal standard communication protocol across enterprise organizations to address any non-compliance activities and remedial actions without ambiguity.
11. The bonus 11th value add should you need another one: A well-defined, automated, and streamlined GRC workflow increases enterprise internal data search efficiency both backwards in time and forward projections utilizing advance Data Science and AI modeling on the historical GRC data. This will…
a. Provide faster data search during audit-trail function,
b. Improve data reliability by reducing manual process errors,
c. Enhances collected GRC data integrity and
d. Enables enterprise IR4 capabilities.
All these in turn will add to the quality decision-making leading to faster enterprise mission and vision accomplishment.
Let us talk about the automation part of GRC function can accomplish. The first and most obvious choice for many small to medium size organizations is to use Excel or any spreadsheet, which can certainly capture the Risk and Compliance data and help in the Governance aspect of GRC function by converting the GRC data collected into tables, charts, graphs, and by appropriately highlighting where timelines were missed or about to be missed, providing remaining time for target completion dates and other intricate details. Although this process is semi-manual, with a proper design, it could leverage for a larger corporation too. However, the perception of not utilizing a GRC tool for automation in a large corporation is considered immature GRC function. GRC tools exist today in the paid software domain and one of those is RSA Archer. However, now it is not a part of RSA, nor is the word RSA attached to it.
RSA has a long and complex history. In 1977 three research scientists Ron Rivest, Adi Shamir, and Leonard Adleman shortly referred to as RSA, per the initials of their last names, put a paper for public-key cryptosystem. In 1982 these three researchers form a company, RSA Security LLC, and the next year, in 1983, a patent registered describing the RSA algorithm and granted to MIT, where they use to work. RSA becomes the basis for modern day cryptography, on which internet privacy works today. RSA as a company rapidly changes multiple hands in last few years. In 2006 RSA Security was acquired by EMC Corporation for US$2.1B [4]. EMC acquires Archer Technologies in 2010 [5] [6], which was selling a top ranked GRC software tool, under its brand umbrella. Then in 2016, Dell Technologies acquires EMC [7] [8]. In 2020 Dell Technologies sells RSA Security products to a consortium called Symphony Technology Group (STG) for US $2.1B, the same price when bought by EMC back in 2006 [9]. STG further de-couples these two technologies under the RSA brand umbrella into two separate products and leverages the brand value the two product names have and re-invents them by their names separately as RSA [10] and Archer [11]. Archer GRC is still the leading GRC product in Gartner Magic Quadrant for IT Risk Management in 2021. RSA still has the Multi-Factor Authentication (MFA) product line and as per RSA web site [12] claim, cited to have 25+ million Enterprise Identities, 99.95% Availability and 12,000+ customers worldwide.
SAP GRC is quite another prominent solution, in the paid space [13] and few others could be checked from here [14] or from The Gartner Magic Quadrant [15] or The Forrester Wave document [16] on GRC product line. Few other paid source GRC tools as value adds are IBM OpenPages with Watson [17], Risk Under One Roof under the banner of Integrated Risk Management [18], SAI360 GRC (previously Nasdaq BWise) [19], ServiceNow GRC [20], Standard Fusion [21], etc. There are lower cost GRC tools with significantly less features and functionality and listed here [22] [23].
Although the tools listed under the banner of paid software are extremely good in what they bring to the table. Nonetheless when you weigh the benefits of paid software vs. an opensource one, the real scale of value starts to emerge in front of you, depending upon how much of discretionary budget you may have for a GRC automation tool, leave alone the other costs that exist in the creation or maintenance of a GRC function including FTEs, FTE Training, Consulting, etc. Both paid source and opensource tools can get automation to your GRC processes, provide your management with real-time Risk and Compliance Reporting and Monitoring visibility across different business domains. These tools allow you to drill down when required, to reach the run-away processes and functions. However, the only drawback of paid source tools are the budgetary constraints that are associated with them. Paid source licensing is not affordable for small and medium size organizations. This is where opensource GRC tools can add relief.
One such criterion for success under constraints is to perform minimum critical required functions (of course we are talking GRC here). Opensource lacks full functionality GRC tools. Although the opensource tools are not as flexible and feature rich as paid source counterparts, there are areas these opensource tools can add the edge that required by organizations to get them to the finish line.
eRamba [24] an opensource tool that can provide 80% of GRC Functions with minimal efforts and zero cost. This software is opensource to its true sense and provides a full featured, well-maintained software, which is downloadable [25], and you can install it as Enterprise or Community edition. The Enterprise Edition has a nominal support fee, but both bundles same feature rich, and an online self-propelled demo request possible for both [26] just with the eRamba web interaction. Both bundle installations of this software are provided under an opensource license. eRamba GRC software mentioned as the Gartner Cool Vendor in 2020 [27] and The Gartner MQ Honor mention in 2021 [28]. eRamba GRC solution almost have all modules required for the smooth functioning of a GRC function [29]. In addition, eRamba has a sister OpensourceGRC.org [30] collaborative platform with tons of GRC support function materials like Compliance Requirements, Internal Controls, Policy Templates, and more, which makes eRamba a formidable competition to the paid GRC software. Plus, if you add little bit of creativity and the magic of modern spreadsheet in combination with the output of this software and templates it provides, as per what I have seen, you have the best of the GRC world from this tool that includes automation, workflows, schedulers, reports, graphs, and trends at your fingertips.
There are few other opensource tools with limited GRC functionality or they are disguised in their Web pages as free, those are free for demo purpose and cannot deploy those tools into production and hence not documented here. Should you find an opensource GRC software that is free and can provide 80% of the GRC functions, please drop me an email and I will amend this paper with a new revision.
Summary & Conclusion
Organizations do govern their risk and manage their compliance requirements where necessary, and they have always been doing this. The key is managing those effectively and efficiently across business functions. The challenge is to see your own organization’s policies, standards, and procedures uniformly enforced and calculated risks undertaken, and your organization is following all national and international regulations that are applicable to your industry is the key to you and your organization success. The question is how best to accomplish this and at what price tag? This will be the question your management will be interested in knowing. With an automated GRC function, which is a mix of qualified GRC people, GRC Tools & GRC function enhancing Technologies, and a right mix of defined organization wide GRC processes, you will be able to produce desirable results at reasonable cost. A major part of your cost is the GRC tool or tools and if that is based upon your budget managed properly without compromising on the quality of the GRC functions, then you have made the mark within your organization.
GRC enhancing technologies referred to above are different from GRC Tools. Here is the 20 second intro on GRC Technologies. The use of these moves your GRC function into GRC 2.0 level functioning. With the advent of Data Science (DS), organizations are already utilizing tools these days for Machine Learning (ML), Deep Learning (DL) and Artificial Intelligence (AI). A new possibility opens when GRC operations starts to utilize Predictive Analytics [31] [32] utilizing the existing DS platforms, with the historical data that you may have captured over the years in your GRC function’s operations. GRC mixed with advance data analytics will emerge as GRC 2.0 which could be referred to as SMART GRC. You may read more on how to enable SMART GRC function from here.
SMART GRC will allow you to analyze and predict your organization’s future GRC outcomes from past GRC data, of course utilizing data science platforms your organization may have already invested in and utilizing or using quality opensource data science tools. When this happens, it opens a new array of opportunities for you and your management to visualize and predict your GRC future negative outcomes and make the necessary changes and fine-tuning NOW, to steer the business in the right direction. This is a topic by itself, should you be interested, drop me a note, and I will elaborate on this topic in another paper.
Back to GRC 1.2, where a modern, fully automated, standardized GRC Function’s implementation, can get all the benefits as listed earlier in this article along with money, time, and resource savings. In addition, it will certainly add maturity to the Risk and Compliance governance processes. The possibility of success increases multifold with a well-defined, self-empowered GRC function, custom designed to address internal organizational cultural fault-lines. Hardly anyone can disagree on this. Mature GRC function with its capabilities across horizontal business functions can act like a dog herding the sheep. Via an empowered GRC function, its processes have authority to govern the Risk and Compliance activities across horizontal business functions. A pro-active GRC process means catching or anticipating future Risk & Compliance issues and challenges, early in the business-process lifecycle and getting those addressed with the authority that a GRC function should have. Thereby, making an organization a well-oiled machine, which means quicker and easier accomplishment of organizational mission and vision, with minimal wastage of funds, resources and realize organizational goals in a timely fashion. Is your GRC function designed to make your organization a well-oiled machine?
About The Author
Asad Syed is a graduate of Mathematics, Applied Mathematics and Statistics. His experience spans in Security Architecture, Security Operation Management, Digital Investigations & Forensics, Crisis & Threat Simulation, GRC Management, Threat Hunting, Cybersecurity Emerging Trends & Threat Mitigation, Database Security, Identity & Access Management, and Identity Federation. His interests are in the application of newer technologies, to enhance the output performance of technologies with which he is working. He is a writer, teacher, and cybersecurity evangelist, who has worked for multiple fortune five hundred companies and currently providing cybersecurity consulting to the upstream operations of the oil and gas industry. Reach him via GRC at ASyed dot net. ■
References
[1] OCEG.ORG, GRC Capability Model Version 3.0, Version 3.0 ed., Chicago, IL : OCEG Red Books, 2022.
[2] C. F. Dheeraj Vaidya, “80–20 Rule,” WallStreet Mojo, [Online]. Available: https://www.wallstreetmojo.com/80-20-rule/. [Accessed 6 September 2022].
[3] PWC, “Get proactive about risk management,” Get proactive about risk management, 2022.
[4] RSA, “EMC Announces Definitive Agreement to Acquire RSA Security,” [Online]. Available: https://web.archive.org/web/20061020225636/http://www.rsasecurity.com/press_release.asp?doc_id=6983.
[5] W. GARDNER, “EMC Acquires Archer Technologies,” Network Computing, 04 Jan 2010. [Online]. Available: https://www.networkcomputing.com/emc-acquires-archer-technologies. [Accessed 06 09 2022].
[6] Wikipedia, “RSA Security,” [Online]. Available: https://en.wikipedia.org/wiki/RSA_Security#:~:text=The%20RSA%20Archer%20GRC%20platform%20is%20software%20that,by%20Archer%20Technologies,%20which%20EMC%20acquired%20in%202010.. [Accessed 06 Sept 2022].
[7] DELL Press Release, “Historic Dell and EMC Merger Complete Forms World's Largest Privately Controlled Tech Company,” Dell, 07 09 2016. [Online]. Available: https://www.dell.com/en-us/dt/corporate/newsroom/announcements/2016/09/20160907-01.htm. [Accessed 06 09 2022].
[8] Wikipedia, [Online]. Available: https://en.wikipedia.org/wiki/Dell_EMC. [Accessed 06 Sept 2022].
[9] R. Miller, “Dell sells RSA to consortium led by Symphony Technology Group for over $2B,” TechCrunch+, 18 Feb 2020. [Online]. Available: https://techcrunch.com/2020/02/18/dell-sells-rsa-to-consortium-led-by-symphony-technology-group-for-over-2b/. [Accessed 06 Sept 2022].
[10] RSA, “Security Starts with Identity,” © 2022 RSA Security LLC , [Online]. Available: https://www.rsa.com.
[11] Archer, “Archer GRC Solution,” Archer GRC Solution, 06 Sept 2022. [Online]. Available: https://www.archerirm.com/content/grc. [Accessed 06 Sept 2022].
[12] RSA, “25+ Million Enterprise Identities,” [Online]. Available: https://www.rsa.com/. [Accessed 06 September 2022].
[13] SAP, “SAP Risk Management,” SAP, 06 September 2022. [Online]. Available: https://www.sap.com/products/financial-management/risk-management.html. [Accessed 06 September 2022].
[14] D. Partida, “Top Governance, Risk & Compliance (GRC) Tools of 2022,” CIO Insight, 13 December 2021. [Online]. Available: https://www.cioinsight.com/enterprise-apps/grc-tools/. [Accessed 06 September 2022].
[15] Gartner, “Paper no xxx on GRC products,” Gartner, 2021. [Online]. Available: https://www.gartner.com/en.
[16] A. Valente, “The Forrester Wave™: Governance, Risk, And Compliance Platforms, Q3 2021,” The Forrester Wave, 22 September 2021. [Online]. Available: https://reprints2.forrester.com/#/assets/2/1802/RES176196/report. [Accessed 06 September 2022].
[17] IBM, “IBM OpenPages with Watson,” IBM, [Online]. Available: https://www.ibm.com/products/openpages-with-watson. [Accessed 06 September 2022].
[18] riskonnect.com, “Risk Under One Roof,” riskonnect.com, [Online]. Available: https://riskonnect.com/. [Accessed 06 September 2022].
[19] SAI360, “The Leading ESG Cloud Platform Connecting GRC, EHS&S and Learning,” SAI360, [Online]. Available: https://www.sai360.com/. [Accessed 06 September 2022].
[20] ServiceNow, “GRC,” [Online]. Available: https://www.servicenow.com/products/governance-risk-and-compliance.html. [Accessed 16 September 2022].
[21] standardfusion, “Compliance & Risk Management,” [Online]. Available: https://www.standardfusion.com/. [Accessed 06 September 2022].
[22] G2.com, “Top Free GRC Platforms,” G2.com, [Online]. Available: https://www.g2.com/categories/grc-platforms/free. [Accessed 06 September 2022].
[23] “Best Free Governance, Risk & Compliance (GRC) Software,” Capterra, [Online]. Available: https://www.capterra.com/grc-software/s/free/. [Accessed 06 September 2022].
[24] eRamba.org, “Welcome to Open IT GRC,” eRamba, 14 August 2022. [Online]. Available: https://www.eramba.org/. [Accessed 06 September 2022].
[25] eRamba.org, “Community Download,” ERamba.org, 2022. [Online]. Available: https://www.eramba.org/community-downloads. [Accessed 06 September 2022].
[26] eRamba.org, “Tru eRamba,” eRamba.org, 06 September 2022. [Online]. Available: https://www.eramba.org/online-demo. [Accessed 06 September 2022].
[27] Gartner, “Cool Vendors in Cyber and IT Risk Management,” Gartner, 1 October 2020. [Online]. Available: https://discussions.eramba.org/t/off-topic-gartner-named-eramba-2020-cool-vendor/1707/3. [Accessed 06 September 2022].
[28] Gartner, “Gartner 2021 — Magic Quadrant for IT Risk Management,” Gartner, 13 September 2021. [Online]. Available: https://discussions.eramba.org/t/gartner-2021-magic-quadrant-for-it-risk-management/1930. [Accessed 06 September 2022].
[29] eRamba.org, “eRamba Basic video Training,” eRamba.org, [Online]. Available: https://www.eramba.org/documentation. [Accessed 06 September 2022].
[30] eRamba.org, “Welcome to Opensource GRC,” eRamba, 2022. [Online]. Available: https://www.opensourcegrc.org/. [Accessed 06 September 2022].
[31] Pluralsight Blog for Data Professional, “4 levels of analytics you need for better decision making,” Pluralsight, [Online]. Available: https://www.pluralsight.com/blog/data-professional/data-informed-decisions#. [Accessed 06 September 2022].
[32] C. McCue, “Data Mining and Predictive Analysis,” ScienceDirect, p. 7.18 Tools of the Trade, 2007.
[33] PWC, “Get proactive about risk management,” 2022.
