As an industry professional, you're eligible to receive a printed copy of the journal.

Fill out your address below.

Please reset your password to access the new
Reset my password
Welcome aboard, !
You're all set. We've send you an email confirmation to
just to confirm you're you.

Welcome to DRJ

Already registered user? Please login here

Existing Users Log In

Create new account
(it's completely free). Subscribe

As organizations today pay millions of dollars in fines and penalties and face resignations of key executives, most of these episodes lead them to say, “We did not know.”

“We did not know fully about the risks involved in storing the personal data without proper safeguards” or “We did not know we had unpatched vulnerabilities in the servers storing business critical information.”

As the risk and compliance world gets more complicated with globalization, digital transformation, and shared services models, the organization’s ability to respond to such issues in a cohesive and streamlined manner depends on a well-structured and scalable governance, risk, and compliance (GRC) program. This program should bring the risk, compliance, business, and audit executives to define and implement a common risk and compliance taxonomy within the organization. This taxonomy should underpin the business and IT policies, controls, and thresholds across business functions and help the senior management understand the overall organization risk and compliance posture.

A good risk and compliance program is based on the business realities and trends specific to the industry and focuses on key risks and regulations impacting the industry. It also involves re-thinking some of the organizational business practices, processes, organization structure, and is typically a big lesson in change management.

The first step in developing a governance, risk, and compliance program is to understand the purpose of the program and define the objectives and scope.

GRC explained

GRC includes organizing and designing a strategy based on the culture, architecture, technology, architecture, human factors, and the emergence of new processes which enable support and consider the emerging changes both internally and externally. The main objectives of information and cyber security GRC are effectiveness, efficiency, confidentiality, availability, reliability, and confidentiality. The business drivers influence the strategies. Choosing the standard’s framework is as critical as writing the policies which influence architecture, operations, and awareness within the organization.

For the purpose of this article, we will limit the scope to the information and cybersecurity program.

GRC Broken Down

GRC overlaps the areas of strategy management, business processes, policies and procedures, performance management, risk management, control activities, and audits.


Governance develops the strategies and evaluates them against the risk assessment, often updating based on risks which were overlooked in the planning phase. It assists with building information security management systems by using reputable methods such as ISO, COBIT, NIST, and others. It incorporates goals, writing and implementing polices, regulations and standards, and maintaining the policy lifecyle management.


Risk management identifies and addresses risk (threats, vulnerabilities, and impacts) and considers the obstacles to achieving the goals identified under governance. Risks include possible violations of mandated regulations and standards. Risk management helps manage risks through developing processes, tools, and due diligence. Some of the action steps include risk assessment, risk scores, risk monitoring and analysis, and risk mitigation.


Compliance ensures meeting established polices, regulation, and accepted standards. Part of compliance includes detecting noncompliance areas and responding to correct the situation. Compliance encompasses meeting policy standards, rules, requirements, regulations, maintaining transparency. Some compliance tools include self-assessments, ensuring technical controls are implemented correctly and the metrics are evaluated, incorporating business process controls, and integrating compliance scores into the evaluation process.

GRC Processes


  • document processes
  • define document controls
  • assess the effectiveness of controls
  • remediate issues

Risk Management

  • identify and categorize risks
  • assess risks
  • mitigate risks
  • report on risk mitigation and remediation


  • define document controls
  • assess effectiveness of controls
  • remediate issues

Expected results

As businesses implement GRC, they can expect a better understanding of their risk and compliance postures and priority set of issues which need to be mitigated to bring it up to the acceptable levels. A well-established GRC program shall enable them to orchestrate the risk and compliance activities across functions; harmonize the set of IT and physical controls which are required to be complied with across functions; IT assets and processes; and reduce the overall cost of incidents, penalties, and fines that can potentially cause business impact.

A mature GRC program also enables CRO, CCO, and CISO organizations to play a pro-active role in enabling the business to improve their risk-reward ratio and anticipate any potential pitfalls in business strategies. A mature program enables the top management to showcase the business resilience of the organization to shareholders and regulators alike, thereby strengthening the reputation and brand of the organization in the industry and ensures they always know.


Dr. Michael C. Redmond & Vibhav Agarwal

Dr. Michael C. Redmond is a director for EFPR Group IT&GRC, External Consulting and Auditing. She consults and audits for clients internationally and is a recognized international consultant, auditor, speaker, author, and trainer. She may be contacted at [email protected] or 1-800-546-7566. Vibhav Agarwal is an associate vice president, cyber initiative at MetricStream. Agarwal is responsible for MetricStream’s overall solution selling and marketing efforts for cyber risk, compliance, and governance solutions worldwide.

What are the risks of backing up your business data in the cloud?
Accidents happen. Users delete files, change files and then want an old version, software crashes and corrupts open files, and...
Public and Private Sector Relationships in Emergency Management
When studying the field of emergency management and how it has evolved over the years, it is virtually impossible to...
Automating Data Protection, Disaster Recovery Creates Resilient Infrastructures
Data lies at the center of every company and is the most valuable asset of any business. Companies need, and...
A Case for the Manual Call Tree
I remember my first business continuity gig very well. Back in 1997, there was an art to creating a good old-fashioned...