GRC Management: Best Practices Framework for More Effective Governance, Risk, and Compliance Management
Introduction to GRC Management
The Executive Board of any large enterprise wants to know that the organization is appropriately protected against potential risk. The ultimate objective of risk management is to define and understand the risk tolerances of the enterprise and manage to those tolerances, optimizing the risk/return of the business. In addition, increased accountability and transparency is being demanded of corporate executives and boards of directors from both customers and regulatory agencies. Renewed enforcement and enhancements of regulatory requirements are becoming more evident and the costs associated with compliance are increasing significantly. This is occurring at the same time that resources are being stretched thin, if not altogether eliminated.
It has been estimated that spending on Governance, Risk & Compliance (GRC) exceeded $32 billion in 2008i. Budget priorities are becoming more focused on enterprise and operational risk management. As enterprises continue to spend time, money and resources on GRC, finding effective and economically sound ways to identify and manage the processes and procedures implicit in GRC is an enterprise imperative.
GRC is not just one particular subject, discipline or endeavor. It is the attempt to develop a unified approach to interrelated tasks and events within an enterprise, including among other things:
- risk management
- policy management
- Compliance management
- Continuity of business management
- Asset management
- Audit Management
- Threat management
- Incident/event management
- Vendor management
Many organizations either lack formalized GRC programs or their GRC programs are not well developed or mature. C-level executives, Chief Information Security Officers, Chief Information Officers, and Chief Risk Officers struggle to link risk management efforts in information security, privacy, business continuity, and compliance to the value they provide at line-of-business and executive levels. According to leading experts few companies have created this linkage. The guidance contained in this white paper can get you started in solving this challenge at your organization.
GRC Management: Operational Risk
To be effective in managing governance, risk, and compliance, an enterprise must be able to define and understand acceptable risk tolerances, manage those tolerances, and optimize or find value in risk avoidance. Operational risk is a key aspect of GRC.
Operational risk is the risk of direct or indirect loss resulting from inadequate or failed internal processes, people, and technology, or from external events. Operational risk does not include credit risk or market risk, which are the other legs of a complete Enterprise Risk Management Program. Managing a large enterprise without a GRC system in place is like managing an enterprise without standards-based accounting and financial processes.
GRC Management: An Effective GRC Model
A number of components are required to build an effective GRC model, including:
- Identification and Classification of risks
- Determining who owns the risk
- Key concepts of Enterprise Risk Management (ERM) and its frameworks
- Regulatory environment (global, current and proposed legislation)
- Integrated approaches to governance, risk and compliance
- Operation risk management
GRC Management: Measuring Process Maturity
A model, like the Capability Maturity Model Integration (CMMI), can be used to measure your process maturity in the GRC area, and to guide process improvements across projects, business units, and entire enterprises. The model provides guidance and a reference point for assessing current processes. In context of the model, process improvement evolves through five levels (1-5), known as maturity levels:
- Initial Process
- Managed Process
- Defined Process
- Quantitatively Managed Process, and
- Optimizing
It is important to note that the target maturity level for an organization’s GRC processes will vary, depending on things such as industry, organization size, and other factors. Level 1 organizations often produce products and services that work; however, they frequently exceed their operational budgets and tend to have an ad hoc approach to managing operational risk. Level 5 organizations focus on continually improving process performance through both incremental and innovative technological improvements. Quantitative process-improvement objectives for the organization are established, are continually revised to reflect changing business objectives, and used as criteria in managing operational risk process improvement. The ideal state for a moderately regulated organization might be a level 3. The level 3 organization is proactive, processes are well characterized and understood, and are described in standards, procedures, tools, and methods.
From a governance (G) perspective, the level 3 organization is proactive in operational risk focus and process definition. From a risk (R) perspective, the level 3 organization is proactive in achieving the goal of risk management: assessment, decision analysis and remediation. From a compliance (C) perspective, the level 3 organization is proactive in achieving the goal of identifying and meeting regulatory obligations.
GRC Management: The Role of Controls
Controls are used to manage identified risks. Controls can be a process, procedure, rule, objective or tool, or some combination of these. Identifying and implementing sustainable controls for your organization depends on a number of factors: industry sector, regulatory obligations, culture, organizational structure, dependence on IT (and whether IT is insourced or outsourced), and senior management commitment.
There are a variety of sources available to aid in defining appropriate controls. Standards such as ISO/IEC 27002:2005 Code of Practice for Information Security Management and NIST SP 800-53 Recommended Security Controls for Federal Information Systems can be used to identify appropriate controls. Regulatory agency guidance also provides aid in defining regulatory appropriate controls; sources include the FFIEC IT Booklets on Information Security and Business Continuity Planning.
GRC Management: A Framework
Controls are not independent happenings. Most controls impact and/or have a relationship with other controls. Because controls are not independent, they cannot be managed as such or in an ad hoc fashion. It is critical to conceptualize “like” controls into a framework.
Once an organization has defined an appropriate set of controls they need to be organized into a manageable, structured framework, based on the objectives of the controls. For example, consider an organization has established a management objective to Assess and Manage Operational Risk. To meet this objective, a set of control objectives, or high level control statements, is identified. To implement the control objective, controls are instituted and assessed for adherence and/or compliance. Controls are often confused with policies. Policies, however, are statements of intent.
Examples of commonly used operational risk frameworks include; COSO – Internal Control-Integrated Framework, COSO Enterprise Risk Management – Integrated Framework and COBIT – Control Objectives for Information and related Technologies.
Any framework is constructed around People, Process and Technology and must continuously manage the following:
- Assess what needs to be protected
- Mitigate risks by deploying appropriate systems and processes
- Monitor systems and processes to ensure adequate controls
- Respond to breaches and establish a process improvements
To implement the best controls, the framework that organizations develop must contain reasonable and appropriate controls that address anticipated risks, and then organize them into a well-documented, proactive and process-oriented program.
GRC Management: Implementation of Framework and Controls
As is often the case, what sounds logical and reasonable on paper is often not as logical and reasonable when it comes time to put it into practice.
To select controls and a framework, organizations must develop a defensible case for reasonable and appropriate controls that address reasonably anticipated risks, and organize them into a well-documented, proactive, and process-oriented program.
GRC depends on integrating and institutionalizing all it’s components into manageable, cost effective, business-aligned practices. It is truly three dimensional in scope. Using one dimensional tools – spreadsheets and/or word documents – to manage the practice will not work in the long run.
GRC Management: Assessing Risk
A common practice with many operational risk assessment approaches is to consider the likelihood or probability of various risk categories and then determine their financial impact. Many of these approaches provide limited insight because of broad assumptions required to make them work. Often, these assessments are generated in a bottom-up fashion and then aggregated into an overall organization-wide risk profile. These assessments require (among other things) a clear and consistent understanding of how operational performance affects financial performance. It is important that the assumptions associated with these cause-and-effect relationships be consistent across the various individual risk event assessments. Furthermore, there must be clear visibility into the “mechanics” of these cause-and-effect relationships.
GRC Management: Key Performance Indicators and Key Risk Indicators
Key Performance Indicators, also known as KPI or Key Success Indicators (KSI), are a measure of how well something is being done. After identifying stakeholders and defining goals, there needs to be a way to measure progress towards goals. Key Performance Indicators are those measurements. They are quantifiable measurements, agreed to beforehand, that reflect the critical success factors of an organization.
A Key Risk Indicator (KRI) is a measure used in management to indicate how risky an activity is.
Most people gravitate toward the use of financial metrics as the primary measure of performance, but these metrics have limited use for our purpose. The predominance of financial metrics does not enable businesses to understand and measure how value is created in their organizations. Although financial metrics remain a fundamental measure of value, they only represent outcomes of business activity: they are lagging indicators of performance.
To gain a better understanding of the drivers of business and the non-financial metrics that are the leading indicators of financial outcomes, organizations need to include the effects of risk events (KRI) on performance (KPI).
A common practice with many operational risk assessment approaches is to consider the likelihood or probability of various risk categories and then determine their financial impact. Many of these approaches provide limited insight because of broad assumptions required to make them work. Often, these assessments are generated in a bottom-up fashion and then aggregated into an overall organization-wide risk profile. These assessments require (among other things) a clear and consistent understanding of how operational performance affects financial performance. It is important that the assumptions associated with these cause-and-effect relationships be consistent across the various individual risk event assessments. Furthermore, there must be clear visibility into the “mechanics” of these cause-and-effect relationships.
Good key risk indicators (KRI) are simple, measurable and have a direct impact on multiple key performance indicators (KPI).
GRC Management: Steps in an Assessment Process
Performing regular assessments is an important aspect of GRC programs. Assessments should generally include these steps:
- Compile a resource inventory – key players
- Prepare an inventory of, systems, applications and processes (both automated and manual)
- Prioritize based on Criticality
- Develop a set of Key Performance Indicators
- Periodically Measure and Report
- Monitor and Respond
GRC Management: The Role of Automation
Beyond developing the appropriate elements in a GRC program, organizations that seek to be highly cost-effective in their GRC activities will want to incorporate automation to both ease the cost of manual effort, and to enhance the reliability of the results. Automation of GRC processes through workflow can greatly reduce manual labor for data collection and analysis. In addition, automation platforms using web-based collection mechanisms, automated e-mail notification, escalations, and alerts, and central databases for evidence collection and storage, can greatly improve the quality of the results and can deliver repeatability and consistency in the process.
It is worth noting that automation of GRC processes is a key enabler for organizations seeking to develop more mature programs, as described earlier in the CMMI model.
Summary
It is important that businesses increase the visibility of governance, risk and compliance initiatives. Just as security and privacy issues have become more integrated into the corporate psyche, an increased sensitivity and level of awareness of GRC is essential. This must be accomplished efficiently to minimize the time, resources, and expenses of implementing a cohesive GRC program.
Businesses will only be profitable if they undertake prudent risks and they will be less profitable if they do not rethink their existing business people, processes, and technologies. One of the greatest challenges in business today is to effectively assess and mitigate risk. Integrating and automating GRC presents the opportunity to not only assess and mitigate risks, but also to reassess business objectives and processes to gain more understanding and control. This translates directly into innovation and cost savings.
About the Authors
Bruce Beck is the Vice President for Business Development at Avior Computing. He has over 30 years of successful sales, business development and sales management experience in the technology industry, primarily focused on early stage companies. Mr. Beck significantly contributed to the successful IPOs of three companies where he was an executive.
Jeri Teller-Kanzler is the President and Principal Consultant for Risk-MAPP, LLC. In addition to her current consulting business, Jeri Teller-Kanzler is an adjunct professor at Rochester Institute of Technology (RIT), providing curriculum development, instruction, and graduate level program development guidance in the area of security technology; policies, law and ethics.