value insights

GRC process investment helps boost risk management strategies- Valutrics

Rich Licato, CISO at technology solutions company Airlines Reporting, has brought the company’s IT-related governance, risk and compliance efforts to new levels over the past several years.

He implemented software to manage the GRC discipline, opting for the full suite of functions offered by software vendor Modulo to replace spreadsheets. And he created a risk analyst position dedicated to the GRC program.

Such investments are critical to keep pace with digital business, expanded compliance regulations and increased risk, Licato said.

“Everything you do around GRC is about visibility. It gives you visibility into your operations and risk and allows you to identify issues quicker and react faster,” he said.

Organizations of all kinds have gotten the message that IT security is a priority. As a result, companies, nonprofits and government entities have been beefing up their defenses against cyberattacks and data breaches.

But that’s only part of what’s needed. Organizational leaders need to manage their efforts under the umbrella of an IT governance, risk and compliance process. Just as the GRC process works in other organizational areas like finance and legal, IT GRC pulls together the critical elements essential to understanding an organization’s technology-related risks, the tolerance for those risks and how they are managed.

“This function is meant to be more strategic and forward-looking to help manage the IT risk within a company,” said John Wheeler, research director at Gartner.

Financial services firms generally have the most established GRC functions, with the maturity driven by the large number of regulations in that industry, according to Wheeler and other consultants.

Companies in other industries are at varying levels of GRC program maturity, with many still operating in a siloed fashion. Experts say many companies still focus on complying with data security regulations or minimizing security vulnerabilities, but don’t have an overarching understanding of how the pieces fit together for their organization’s risk tolerance.

 “A well-formed discipline focuses in on three dimensions of risk management: the framework, metrics and the technology to enable a strong IT GRC program,” Wheeler said. “You have to make an investment in all three dimensions and it has to be an ongoing investment.”

Organizations getting value from their GRC program have invested in several key elements, said Kennet Westby, president and co-founder of the cybersecurity advisory and assessment services firm Coalfire.

“It’s having a process in place and developing a roadmap, and being able to validate that they’re compliant with laws and their own policies,” Westby said. It’s the same approach boards and executives take to manage other areas of risk, he added.

Leading organizations all have GRC on the board’s radar, and have assigned GRC reporting and ownership duties, he said. These organizations also understand their whole risk profile by having assessed their risks, the impacts of those risks, and their ability to manage those risks. They understand the correlation between those risks and their tolerance of them, and use that understanding to shape cybersecurity investments and priorities.

Kelly Bissell, global managing director at Accenture Security, said organizations must invest the time required to establish and maintain a GRC framework. They must also invest dollars for the applications specifically designed to support a robust GRC process by bringing the various elements together in one view to allow all stakeholders to see it in one software solution.

As companies mature this function, they also should be investing in processes that roll all their risk management functions together under the umbrella of enterprise governance, risk and compliance function, Bissell said.

The GRC program will increasingly prove its worth as companies embark on digital transformation initiatives because it allows businesses to see risks as they arise, Bissell said. Consider, for instance, a department that launches a mobile app for customers that may expand existing risks or even introduce new risks to the organization. A robust risk management process allows executives to react quickly to those risks, and accurately determine what steps are needed to mitigate them.

“If they have a good GRC function, they can more easily adapt to change,” Bissell said.

Risk management software varies in cost, based on the size and complexity of the organization and its risk profile. Implementations for large, complex organizations cost in the millions but run most organizations between $100,000 and $250,000 in upfront costs, Wheeler said. Cloud options generally cost $50,000 to $100,000 for an annual subscription, he added.

But investments are hardly one and done, experts said. And beyond maintaining the software, companies also need to consider staffing as their GRC process evolves, Licato said.

“[Companies] initially think this work can be absorbed into the organization without any dedicated resources, but the process requires care and feeding, and a staff position ensures that the care and feeding of the process happens,” he said.

Organizations also need to review and adjust their investments, including staff resources, as their business evolves and as new reporting and compliance requirements come into effect, Licato added.

“All those pieces drive how much I should be dedicating to this,” he said. “That does end up driving my budget response. I can’t just do it casually. I can’t just try to absorb it. I have to dedicate my resources to it, whether it’s more time or dollars for software.”