It has to start with a degree of integration between threats, risks, controls and protective measures.
The GRC acronym (Governance, Risk and Compliance) has been around for over 10 years but still, many organizations struggle with the successful delivery of GRC programmes across their IT function.
Many of those programmes fail because they are designed in silos, around the functional capabilities of specific tools, often selected without a proper assessment of their fit within the firm’s IT and risk environments. It results in overly complex and expensive integration projects, or the under-utilization of the tools due to data unavailability or inconsistency.
In my experience, for IT GRC programmes to deliver meaningful value, it is key to start from a process perspective and to ensure that business threats, technology risk scenarios, protective measures and control activities are properly aligned.
The level of risk a firm carries in relation to a particular risk scenario can only be determined through a structured and independent assessment of the measures in place (or not) to protect the firm from that scenario; if sufficient measures are in place, senior executives can then be given the assurance that the associated risk is low, or at least controlled; if the protective measures in place are not deemed sufficient or cannot be verified, flags must be raised and actions taken.
For this to work, it has to start with a degree of integration between threats, risks, controls and protective measures.
Technology risk scenarios cannot be arbitrary: They have to be derived from – and linked to – a structured analysis of the threats the business is facing.
They cannot just be placed in a risk register, next to a mitigation, transfer or acceptance statement “hoping for the best”.
They have to permeate through and drive the firm’s technology policy framework.
In other words, technology policies, procedures and standards have to be designed and architected not simply with the view of adhering to good practice or addressing specific issues, but with the view of protecting the business from those technology risk scenarios (while ensuring that the firm also meets its regulatory obligations).
As such, it should be possible to map each content element of those policies, procedures and standards to one or several technology risk scenarios (those they are designed to protect against).
Collectively, they should be underpinned by an operating and governance model documenting the roles and responsibilities of all parties involved in their execution to protect the firm.
The “Compliance” part of the technology GRC framework should be driven by a controls plan, validated with all stakeholders and defining the set of tasks – automated or not – by which the execution of the technology policies, procedures and standards is continuously or periodically verified by an independent function.
Because the content of the technology policies, procedures and standards would have been mapped to the technology risk scenarios, the reporting resulting from the execution of the controls plan should inform on the actual level of protection of the business from those risk scenarios and allow the translation of those results into technology risk; results which could – in turn – be integrated within the enterprise risk, governance and regulatory reporting frameworks.
I am not saying this would be simple to put in place, in particular in large firms where a significant legacy of policy material may exist, but only such degree of integration – in my view – can bring meaningful results to senior executives and enable them to understand and manage the level of risk the firm carries.
Even in large organizations where a degree of automation will be required for this to work, it is key to start with the operational architecture of such integration and its validation with all stakeholders, before looking for a toolkit solution.
Once again, this is the typical area where “Process and People first, THEN Technology” is key to success.
Founder & CEO
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.
Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.
An edited version of this article was originally published on Forbes on 9th February 2023 and can be found here.