As an industry professional, you're eligible to receive a printed copy of the journal.

Fill out your address below.






Please reset your password to access the new DRJ.com
Reset my password
Welcome aboard, !
You're all set. We've send you an email confirmation to
just to confirm you're you.

Welcome to DRJ

Already registered user? Please login here

Existing Users Log In
   

Create new account
(it's completely free). Subscribe

As organizations today pay millions of dollars in fines and penalties and face resignations of key executives, most of these episodes lead them to say, “We did not know.”

“We did not know fully about the risks involved in storing the personal data without proper safeguards” or “We did not know we had unpatched vulnerabilities in the servers storing business critical information.”

As the risk and compliance world gets more complicated with globalization, digital transformation, and shared services models, the organization’s ability to respond to such issues in a cohesive and streamlined manner depends on a well-structured and scalable governance, risk, and compliance (GRC) program. This program should bring the risk, compliance, business, and audit executives to define and implement a common risk and compliance taxonomy within the organization. This taxonomy should underpin the business and IT policies, controls, and thresholds across business functions and help the senior management understand the overall organization risk and compliance posture.

A good risk and compliance program is based on the business realities and trends specific to the industry and focuses on key risks and regulations impacting the industry. It also involves re-thinking some of the organizational business practices, processes, organization structure, and is typically a big lesson in change management.

The first step in developing a governance, risk, and compliance program is to understand the purpose of the program and define the objectives and scope.

GRC explained

GRC includes organizing and designing a strategy based on the culture, architecture, technology, architecture, human factors, and the emergence of new processes which enable support and consider the emerging changes both internally and externally. The main objectives of information and cyber security GRC are effectiveness, efficiency, confidentiality, availability, reliability, and confidentiality. The business drivers influence the strategies. Choosing the standard’s framework is as critical as writing the policies which influence architecture, operations, and awareness within the organization.

For the purpose of this article, we will limit the scope to the information and cybersecurity program.

GRC Broken Down

GRC overlaps the areas of strategy management, business processes, policies and procedures, performance management, risk management, control activities, and audits.

Governance

Governance develops the strategies and evaluates them against the risk assessment, often updating based on risks which were overlooked in the planning phase. It assists with building information security management systems by using reputable methods such as ISO, COBIT, NIST, and others. It incorporates goals, writing and implementing polices, regulations and standards, and maintaining the policy lifecyle management.

Risk

Risk management identifies and addresses risk (threats, vulnerabilities, and impacts) and considers the obstacles to achieving the goals identified under governance. Risks include possible violations of mandated regulations and standards. Risk management helps manage risks through developing processes, tools, and due diligence. Some of the action steps include risk assessment, risk scores, risk monitoring and analysis, and risk mitigation.

Compliance

Compliance ensures meeting established polices, regulation, and accepted standards. Part of compliance includes detecting noncompliance areas and responding to correct the situation. Compliance encompasses meeting policy standards, rules, requirements, regulations, maintaining transparency. Some compliance tools include self-assessments, ensuring technical controls are implemented correctly and the metrics are evaluated, incorporating business process controls, and integrating compliance scores into the evaluation process.

GRC Processes

 Governance

  • document processes
  • define document controls
  • assess the effectiveness of controls
  • remediate issues

Risk Management

  • identify and categorize risks
  • assess risks
  • mitigate risks
  • report on risk mitigation and remediation

Compliance

  • define document controls
  • assess effectiveness of controls
  • remediate issues

Expected results

As businesses implement GRC, they can expect a better understanding of their risk and compliance postures and priority set of issues which need to be mitigated to bring it up to the acceptable levels. A well-established GRC program shall enable them to orchestrate the risk and compliance activities across functions; harmonize the set of IT and physical controls which are required to be complied with across functions; IT assets and processes; and reduce the overall cost of incidents, penalties, and fines that can potentially cause business impact.

A mature GRC program also enables CRO, CCO, and CISO organizations to play a pro-active role in enabling the business to improve their risk-reward ratio and anticipate any potential pitfalls in business strategies. A mature program enables the top management to showcase the business resilience of the organization to shareholders and regulators alike, thereby strengthening the reputation and brand of the organization in the industry and ensures they always know.

August 5, 2020 – How to avoid ransomware payments

WATCH NOW

August 12, 2020 – DRJ Academy Introduction

WATCH NOW

August 19, 2020 – Preparing to Reopen: Protecting Employees, Customers, and Visitors

WATCH NOW

August 26, 2020 – Peak Hurricane Season: 9 Tactical Steps to Preparedness

WATCH NOW

September 2, 2020 – DRaaS Playbook: Achieve IT Resilience through Cloud-Based DR with iland and Zerto

WATCH NOW

ABOUT THE AUTHOR

Dr. Michael C. Redmond & Vibhav Agarwal

Dr. Michael C. Redmond is a director for EFPR Group IT&GRC, External Consulting and Auditing. She consults and audits for clients internationally and is a recognized international consultant, auditor, speaker, author, and trainer. She may be contacted at [email protected] or 1-800-546-7566. Vibhav Agarwal is an associate vice president, cyber initiative at MetricStream. Agarwal is responsible for MetricStream’s overall solution selling and marketing efforts for cyber risk, compliance, and governance solutions worldwide.

Pandemic-specific plan?
I received an email from a respectable source today telling me I needed to develop a "pandemic plan." Been there,...
READ MORE
Choosing Between the In-House Option or a Service Provider for Disaster Recovery/Business Continuity
While there is no denying the importance of disaster recovery/business continuity (DR/BC) planning for any enterprise that wants to minimize...
READ MORE
State of Enterprise Risk Management 2019
Forrester Research and the Disaster Recovery Journal have partnered to field a number of market studies in IT disaster recovery...
READ MORE
What are the risks of backing up your business data in the cloud?
Accidents happen. Users delete files, change files and then want an old version, software crashes and corrupts open files, and...
READ MORE