Get The Straight Talk on Zero Trust

Learn how to prioritize, what to leave out, and how Fortra enables your zero-trust strategy. Register Now


The Critical Role of GRC in Security and Mitigation

Protecting the bottom line is essential for all businesses. An effective Governance, Risk and Compliance strategy is key to ensuring that operations, including revenue flows, are secured, protected and maintainable during an incident.

Businesses have one primary goal: to make money for their owners. In its basic form this means selling products and services for more than they cost to make/provide, market, sell and support.

There are constraints around how we achieve the goal of making money, of course. We have to obey laws and other regulations, defend ourselves against criminal behavior and protect the safety of our people and our ability to do business. Governance, Risk (specifically the management of risk) and Compliance – GRC – exists to help us make an effective trade-off between generating profits and running the business in line with rules, regulations and good practice.

Let us start with a few definitions. Risk management identifies the risks faced by the organization, which come in numerous forms (physical, environmental, legal, security, financial, reputational, … the list goes on). Governance is all about having internal policies and measuring how they are followed, while Compliance focuses on how the business aligns with external rules – over-arching laws and industry-specific regulations. If you are thinking at this point that there is significant overlap between these three areas then you would be correct.

Feeling the Impact of GRC

GRC’s existence adds some necessary friction to business operations: there is no such thing as a GRC regime that has zero negative impact on productivity or budget. The upside, though, is that GRC’s primary result is to make the business sustainable: massive short-term profits are fine in principle but not if offset by, say, a medium-term fine for data protection offences or a prison term for the CEO for fraudulent behavior. It is clear, then, that GRC most definitely has its place in a business, but there are key things to bear in mind.

First, GRC is not a one-size-fits-all concept. The extent of the governance, risk management and compliance regimes in any business will depend on the size and complexity of the business and the market in which it operates. Banking and medicine sit at the most complex end of the compliance spectrum, for example, because the industries are so heavily regulated. Shipping and logistics can be complex in the context of governance, particularly when operating internationally, because of the laws around crossing borders with vehicles and cargo. Also, no two businesses or industries have identical risk profiles: so an investment manager would have a strong focus on financial risk, for instance, while a retailer might be more inclined toward reputational risk.

Next, GRC is not a binary concept. Take compliance, for example: while some legislation is clear and unambiguous, the courts around the world would be far less occupied if most laws didn’t have so much room for debate and disagreement. Likewise, risk: in most cases risk management is about identifying risks and assessing them to figure out the level of risk that is acceptable – and that level is usually more than zero. In a governance sense, no matter how many policies and other controls you implement internally, there is usually a mechanism to allow exceptions (temporary or permanent) so long as they’re justified and that justification finds the approval of the relevant committee or senior manager.

Third, and as we alluded to earlier, the G, R and C are not mutually exclusive. This is particularly true for governance: you can’t write policies, procedures and standards without first having a motivation to do so. A policy must have value, and the main way to do that is for the policy to help you mitigate a risk – which means before you start writing, you need to identify and assess the risks the organization is facing. And when it comes to compliance and risk overlapping … well, while the compliance team are focused on what laws and regulations apply to the organization, the risk team use the same information because they’re interested in what could happen if the company doesn’t comply with those laws and regulations.

To this point, let us now consider where the GRC functions sit in the organization – and where cybersecurity sits relative to them. There is no “right” place, in fact, because it depends on the structure of the company and, to an extent, the personalities in senior management. This should be no surprise because that has always been the case with cybersecurity team: for example, as a CISO this correspondent presently reports to the CTO, but in his previous role it was the CIO and before that the CFO – and we even know one instance where both CIO and the CISO are equals and both report into the head of risk. Should governance and compliance be the same team? Sure, why not, if it works for your company. Should both come under risk? Again, there’s nothing that says not.

Effective Reporting Paths

However, why did we mention senior management personalities? Simple: conflict of interest. Many of you reading this will have come across instances of GRC or cybersecurity being overruled, or at least having reports toned down, because they report into the function whose behavior they are measuring and reporting upon. It is therefore common to have GRC and cybersecurity reporting into a non-partisan function within the business simply because it gives them a reporting path with no risk of being wrongly over-ruled. If you are thinking that any company in which this happens has a problem, you would be correct – but “should not happen” is different from “does not happen”.

Finally, let us look at a common failing of GRC – or, more accurately, a common failing in companies’ attitudes to GRC. Go back to the first sentence of this article: “Businesses have one primary goal: to make money for their owners”. GRC exists to help the organization find a sweet spot between generating profits and doing so within the rules, guidelines and laws. It does not do this in isolation, and nor should it be a blatant preventer of revenue generation. The risk team identifies and assesses risks, and then works with senior management (usually via a risk committee of some sort) to establish the business’s appetite for risk (which, if you recall, we said earlier was non-zero) and then writes the controls accordingly. The governance team oversees and audits the people around the business to establish whether they are complying with the controls correctly, and reports to senior management if issues arise. If the compliance team sees behavior that is contrary to a law or a regulation, they don’t pick up the phone and call the police or regulator – they escalate it to senior management. I once received some wise words from a risk manager when I consulted him about an audit report I had received from the governance team and asked his advice about what I called an “audit requirement” – a deficiency the audit team had found. “There is no such thing as an audit requirement, only an audit finding”, he said, pointing out that the audit and compliance functions do not make the rules (requirements), they are there to measure adherence to the rules made by senior management and to identify (find) areas that need improvement.

GRC, then, is an essential function in all but the smallest, simplest organizations. Where it sits in the organization is not set in stone, and the precise make up and balance of risk, governance and compliance staff is defined on a case-by-case basis. But while the GRC function establishes risks and devises controls, it does so with reference to senior management. Because it’s senior management that runs the company.