How a SMART GRC function enhances your department’s value within the enterprise

Your GRC Practice Steps to Enabling your GRC Function to a SMART one.

1. GRC Manifestation Leading to Agile Enterprise

As you may be aware GRC stands for Governance, Risk and Compliance. Enabling GRC, first introduced by OCEG (Open Compliance and Ethics Group) around 2003 to define an organization’s internal collections of capabilities that enables an organization to reliably achieve business objectives as laid by board and executive management. GRC Function accomplished by addressing working environment uncertainties within its threefold processes and binding them with integrity. The threefold GRC function areas involve Governance of Risk and Compliance activities. Over time, this GRC idea matures, and OCEG first publishes GRC Capability Model in their 2005 OCEG Red Book. Since then, there were multiple revisions of this GRC standard practice with the involvement of hundreds of OCEG community members and organizations and key Risk and Governance professionals. Currently in 2023 a well-established GRC model is in the Revision 3.5 of OCED Red Book [1].

2. The Risk Part of GRC Function

The “R” part of GRC function deals with the Risks associated with the functioning of an organizational department or venture’s operations. Every activity in a department or business vertical performed is associated with risks, and GRC role here is to identify risks in every facet of an organizational workings. GRC “Risk Assessment” (RA) may be related to deployment of a new Server or Service, in this case risk is associated within the delivery of Information Technology, or risk may completely be evaluated for a non-Information Technology function like, pressure rating calculation for a drill pipe failure or an organization venturing out to provide a new product or service for business expansion. Every new facet of business (I would add even in personal life) one must go through systematic risk assessment process. Your organization’s GRC Function can help you in accomplishing this via a process called “Risk Assessment”. The RA finding highlights the unacceptable risks via a defined framework. There are multiple Risk Frameworks. For example, NIST Risk Management Framework called RMF [2]. Organization may customize these external Risk Frameworks and use them internally. One of the advantages of using a defined Risk Framework is no matter who the risk assessor is, the outcome of a risk assessment be the same irrespective of who is performing the risk assessment. RA outcome provides the proponent with a risk report and a risk remediation plan designed to bring the risk down to an acceptable residual risk level. Not only new, but the existing projects, ventures, systems, and services also need a periodic risk assessment, as the external environmental factors keep changing adding to the risks.

Your organization’s GRC function could be your partner in providing you with a risk assessment. Help you understand non-acceptable risks within your function and elaborate why those are non-acceptable. Finally, GRC can also help you in understanding how these risks could be mitigated with suitable security controls deployment, or process modifications or other relevant risk reducing strategies. In addition, your organization’s GRC Function will also be following up with your department, till the time the identified risks are successfully mitigated, and highlights any missed targets accomplishment to your Management.

3. The Compliance Part of GRC Function

The “C” part of GRC function is Compliance, which is the act of conformance to the established and published organizational policies, standards, and procedures. Compliance usually is of two types, namely corporate and regulatory. Corporate Compliance specifically deals with compliance with organizational Policies and Standards. These could be related to Information Technology or Information Security or Business specific policies and standards. Regulatory Compliances are from external authorities like local, regional, or national or international laws and regulations. For example, PCI DSS (Payment Card Industry Data Security Standard), EU GDPR (General Data Protection Regulation), USA HIPAA (1996 Health Insurance Portability & Accountability Act) and others.

Usually, organizational policies and standards do incorporate local, regional, national, and international location-laws, and regulations where enterprise is doing business. An external or internal authority performs audits to identify non-compliance of corporate and regulatory compliance of policies, standards, or regulations. Audit process outcome is Audit Findings, which will highlight non-compliance as per the audit scope for the respective policy or standard or regulation that were in the scope of your audit. Similarly at times “Compliance Assessments” (CA) are performed by internal organization compliance team, usually before a system, service, unit, venture starts to operate. CA scope is bound to the specific operations or system or entity or operations that is being assessed for the compliance. In addition, Compliance Assessments may also investigate reputational, regulatory, and legal aspects of non-compliance of the functions or entities in scope. Audit or Compliance findings a.k.a. “non-compliance items” are followed up by GRC till all the identified non-compliance items are resolved and closed.

4. The Governance Part of GRC Function

The “G” part of GRC function is associated with the Governance Function of Managing the risk and compliance related functional activities. A fully empowered GRC Function, must have the teeth to provide the “G” part of GRC as Governance. The following three points are important for the proper functioning of GRC Governance capability. (a) Full backing from the board and top management, (b) GRC Function’s Budget and Organizational Reporting hierarchy be independent from Information Technology and Information Security [3] and © Right amount of workforce with specific skill sets, must staff the GRC Function for business enabling.

5. Conceptual Comprehension of GRC Function’s Capability Model

The GRC Capability Model establishes a core standard to manage, predict and detect the deviations of organization’s key processes associated with mission and vision accomplishment from mismanagement, identifying risk at an early stage, and by catching the non-compliance from prescribed organizational policies, standards, and procedures. A right mixture of these three sub-function processes, namely Governance, Risk and Compliance are performed continuously and repeatedly, to identify any breakaway processes, procedural deviations and out of bound risks, earlier in a process lifecycle, thus giving management a chance to correct the risky situations/behaviors and non-compliant processes and situations, back into compliance in a timely fashion, before it starts to hurt the business.

GRC categorically is doing the work of a sheep herding dog.

As the GRC process is continuously repeated, one could best visualize it as a sheep-herding dog, whose job is to get any sheep who tries to break the norm of venturing outside of the comfort of the flock, back into the flock. Just imagine humans herding a large herd of sheep without sheep-herding-dogs and then visualize the difficulties. GRC categorically is doing the work of a sheep herding dog. The GRC processes would bring the risky and non-compliant functions within the business for the Governance of those out-of-bound processes and functions in a timely fashion in front of Stakeholders, Management and Board, thereby giving them a chance to govern and get them back into acceptable norms and help focus the business back on track for the business mission and vision accomplishment.

6. What makes an empowered GRC Function a business enabler?

A properly defined, fully implemented GRC function can help your organization to materialize multiple benefits. Top ten of those GRC benefits identified and listed below in no order of importance. As a Pareto Principle [4], 80% of the readers, practicing GRC professionals and management will agree that the below identified GRC benefits are the values their organization is getting from their respective GRC function, but they may prioritize these with a little different priority.

An Empowered GRC Function Is a Business Enabler.

A properly defined, fully implemented GRC function helps your enterprise materialize multiple benefits. Top GRC benefits listed below in no specific priority:

1. Saves revenue by reducing non-compliance costs and fines from external regulatory organizations.

2. Reduce execution time & costs to meet regulatory requirements by automation and by streamlined business practices & procedures. This in turn adds to the above point of saving revenue.

3. Makes an enterprise agile to re-prioritize priorities at last-minute, without getting into non-compliance challenges or business exposure to higher risks.

4. Reforms enterprises towards an “enabler environment with corporate wide enforcement of uniform Compliance and Risk Mitigation processes.

5. Improves overall business strategic decision-making capabilities by providing decision makers with quality information at the right time.

6. Enforces local, state, federal, and/or any specific regulations governing special business verticals.

7. Enhances business units to independently excel in the closure of non-compliance findings and mitigating the risks leading to positive enablement of enterprise mission and vision.

8. Increases workforce risk & compliance awareness because of GRC enabled enterprise processes.

9. Boosts customer & shareholder confidence by enabling enterprises to corporate compliant citizenship. This will save them from non-compliance image that could be used by their competitors in marketing propagandas. This will lead to increased customer trust and enhance shareholder value.

10. Promotes a unified internal standard communication protocol across enterprise organizations to address any non-compliance activities and remedial actions without ambiguity.

11. The bonus 11th value-add should you need another one: A well-defined, automated, and streamlined GRC workflow increases enterprise internal data search efficiency both backwards in time and forward projections utilizing advance Data Science and AI modeling on the historical GRC data. This will…

a. Provide faster data search during audit-trail function,

b. Improve data reliability by reducing manual process errors,

c. Enhances collected GRC data integrity and

d. Enables enterprise IR4 capabilities.

All these in turn will add to the quality decision-making leading to faster enterprise mission and vision accomplishment.

7. Realized value-add of GRC Function

A well-oiled GRC Function enables organizations to accomplish their mission and vision within the control risk environment. Let us take a real-life example to prove this. The April 20, 2010, Deepwater Horizon drilling rig explosion leading to an offshore oil spill, 64 km southeast off the Louisiana state, in the Gulf of Mexico, is considered as the largest accidental marine oil spill in the world and the largest environmental disaster in the United States history [6] [7]. Transocean was in charge as a BP partner for the drilling operations during the disaster. The Deepwater Horizon disaster’s total cumulative cost estimated to around US $65B as per Reuters [8]. The disaster resulted in eleven dead and seventeen injured workers that led to a court order settlement payout for dead around $8M [9]. The environmental damage settlement claim was upwards of $20.8B [10]. Other damages include, complete destruction of mobile offshore drilling unit, bankruptcy of consulting company working for BP. Plus, an additional cost of lost revenue from the well, asset loss, reputation disaster for the companies involved and more.

This was not a natural disaster, hence could have easily averted, provided BP had a functioning, Executive Management blessed GRC operation that could have identified the risk, in a timely fashion at 1/10 of 1% yearly GRC function cost of the estimated disaster tag of US $65B, in terms of maintaining a GRC Function within that operation. The costs and short-term inconveniences considered as perceived roadblocks for a GRC Function. But, in the hindsight of a disaster, the actual value of a GRC Function could easily foresee and how it can play a role in not cutting the corners and immediate saving of some funds here and there are not strategically critical in the long-term success vision. Avoiding potential business losses by averting a manmade disaster of any magnitude as this drilling rig explosion example or many other disasters teach us.

8. GRC Function Setup and Rollout

One such criterion for success under constraint is to perform minimum critical required functions. A well-defined GRC Function can help you manage critical required functions with higher efficiency under restricted circumstances. Multiple GRC Functions enabling automation tools exist today in the paid and open-source software domains. Although the tools listed under the banner of paid software are extremely good in what they bring to the table. Nonetheless when you weigh the benefits of paid source software vs. an opensource one, the real scale of value starts to emerge in front of you, depending upon how much of discretionary budget you may have for a GRC function automation tool, leave alone the other costs that exist in the creation or maintenance of a GRC function including FTEs, FTE Training, Consulting, and few more. Both paid and opensource tools can get automation to your GRC processes, provide your management with real-time Risk and Compliance Reporting and Monitoring visibility, across different business domains. These GRC tools, if properly configured, can highlight the run-away processes and functions. Provide bird’s eye view to top management with a capability to drill down on the GRC Data when required. In addition, point up trends that may result in missed timelines, focusing attention on remaining time for target completion dates (TCD), make hidden risks and compliance challenges more apparent for ease of understanding, absorption, and reaction.

However, the only drawback of paid source tools are the budgetary constraints that are associated with them. Paid source licensing may not be affordable for small to medium size companies. This is where opensource GRC tools can add relief. Plus, if you add little bit of creativity and the magic of modern spreadsheet in combination with the GRC function’s output, you can create the wonders including automated-workflows, schedulers, reports, graphs, trends, infographics, data visualization, callouts and more to help executive management visualize the health of different verticals within the organization.

9. Evolving to a SMART GRC Function

GRC enhancing technologies when applied to a GRC Function can lead to a SMART GRC Process. A GRC function becomes SMART when GRC processes become

Specific (Design your GRC Processes specific to your Business & Infrastructure needs).

Measurable (Design your GRC Processes to measure your Infrastructure health and finetune them by elevating the standards one notch at a time).

Auditable (Design your Infrastructure to pass Audits by design).

Risk Aware (Design your Infrastructure to be Risk Aware from the Gate / Inception).

Timely (Design your GRC Processes to address Infrastructure Health in a timely fashion).

When the SMART criteria applied to the GRC Function processes, it in turn adds value to the GRC Function consuming business areas. This makes GRC Function an enabler of business goals for the respective departments and business areas. The word “enabling” has a positive connotation in the business world for the perceived business enabling value it gets to the table.

Another avenue these days to take a GRC Function to next level is by utilizing Data Science (DS) technologies that organizations these days have already invested in. Utilization of technologies like Machine Learning (ML), Deep Learning (DL) and/or Artificial Intelligence (AI) for Predictive Analytics [11] [12] can provide future predictions based on the existing organizational historical GRC Data. This new capability to predict your organization’s future GRC outcomes from past GRC data, can open a new array of opportunities for you and your management to visualize and predict your GRC future negative outcomes and make the necessary changes and fine-tuning NOW, to steer the business in the right direction. This way by moving towards a SMART GRC function enables and gravitates businesses towards future innovations.

10. GRC Function’s Global Statistics

Listed here are critical researched statistics from GRC function that Executive Management can use to compare how their GRC Function comparatively stands, when compared to the GRC Statistics from other established organizations from across the world. The GRC statistics referenced here are from prominent research organizations and citation references are Quantivate1 [13] and Ponemon2 Institute and CyberGRX’s [14]. However, a quick Internet reference citation could be viewed from secureframe.com2.

Top 10 GRC Function Statistics from across the world.

11. Summary & Conclusion

Organizations do govern their risk and manage their compliance requirements where necessary, and they have always been doing this. The key is managing those effectively and efficiently across business functions. The challenge is to see your own organization’s policies, standards, and processes uniformly enforced and calculated risks undertaken, and your organization is following all national and international regulations that are applicable to your industry, is the key to you and your organization success. The question is, how best could you accomplish this and what is the price tag? This is what management is interested in finding out. With a SMART GRC Function, which is a mix of qualified GRC people, right mix of GRC Tools along with GRC function enhancing Technologies, and a perfectly balanced and defined organization wide GRC structure and processes, you will be able to produce desirable results under reasonable cost.

An enhanced SMART GRC Function (GRC 2.0), where a modern, fully automated, and standardized GRC Function implementation, utilizing Data Science for Analytical Predictions, can get all the benefits as listed earlier in this article along with money, time, and resource savings. In addition, it will certainly add maturity to the Risk and Compliance governance processes. The possibility of success increases multifold with a well-defined, self-empowered GRC function, custom designed to address internal organizational cultural fault-lines.

Hardly anyone can disagree on this. Mature GRC function with its capabilities across horizontal business functions can act like a dog herding the sheep. Via an empowered GRC function, its processes have authority to govern the Risk and Compliance activities across horizontal business functions. A pro-active GRC process means catching or anticipating future Risk & Compliance issues and challenges, early in the business-process lifecycle and getting those addressed with the authority that a GRC function must have. Thereby, making an organization a well-oiled machine, which means quicker and easier accomplishment of organizational mission and vision, with minimal wastage of funds, resources and realizing organizational goals in a timely fashion. Is your GRC function designed to make your organization a well-oiled machine?

12. About the Author

Scan to contact Author

Asad Syed is a graduate of Mathematics, Applied Mathematics and Statistics. His experience spans in Security Architecture, Security Operation Management, Digital Investigations & Forensics, Crisis & Threat Simulation, GRC Management, Threat Hunting, Cybersecurity Emerging Trends & Threat Mitigation, Database Security, Identity & Access Management, and Identity Federation. His interests are in the application of newer technologies, to enhance the output performance of technologies with which he is working. He is a writer, teacher, and cybersecurity evangelist, who has worked for multiple fortune five hundred companies and currently providing cybersecurity consulting to the upstream operations of the oil and gas industry. Reach him via GRC at ASyed dot net. ■

