How to Set Up a Strong GRC Program

July 15, 2021 | By IANS Faculty

To develop a strong governance, risk management and compliance (GRC) program, start by assessing the current state of eight primary components, including roles/responsibilities, legal requirements, policies/procedures and more. Using that information, we recommend leveraging a standard framework (e.g., NIST, COBIT, etc.) to build a GRC program that ensures enterprise risk is effectively mitigated to acceptably low levels while still meeting all compliance requirements. This piece explains the challenges and offers recommendations for setting up a strong GRC program foundation.

Challenges of Setting Up a GRC Program 

While organizations discussed and practiced GRC for over two decades, it is still a challenge for many to establish a GRC program. And even those with established GRC programs struggle to determine their program’s effectiveness. Challenges of setting up a GRC program include, but are not limited to:

  • Getting the right frameworks to build the policies.
  • Implementing the right processes, roles/responsibilities and technologies.
  • Meeting legal requirements, obtaining executive support, and embedding the GRC components throughout the IT and non-technical business ecosystem.

Once those challenges are addressed, organizations should be vigilant in ensuring the components are maintained, updated appropriately, and followed consistently throughout the entire business over time.

Setting Up a GRC Program

Determine the Current State of Your GRC Program

To get started setting up a solid foundation for your organization’s GRC program, you should understand the GRC program’s current state. The following questions are categorized in eight key program areas. Answering them will help you determine where your current GRC processes stand in terms of coverage and maturity. The answers can help lead you to determine the appropriate actions to take to fill the gaps and build a solid GRC foundation.

1. Roles and Responsibilities

  • Have you established roles and responsibilities for data security, cybersecurity, and privacy throughout your organization?
  • Do all workers know who has those responsibilities?
  • When were these roles and responsibilities established?
  • Do they need to be updated based on organizational changes and new legal requirements for data security, cybersecurity, and privacy?

2. Legal and Compliance Requirements

  • Have you identified and documented all the privacy (aka “data protection”) laws and regulations to which your organization must comply?
  • If yes, how up-to-date is the documentation? When did you last update it? New privacy, data security and breach response laws and regulations go into effect overtime, and many others have been updated.
  • Is your organization in compliance with all the security and privacy requirements within your contracts?
  • Is your organization in compliance with all posted privacy notices and security policies?

3. Policies and Procedures

  • Are your organizational data security, cybersecurity and privacy policies, procedures and practices up-to-date?
  • Are your employees aware of the requirements of the policies and the procedures to follow to meet policy compliance? Are they following those procedures? If your staff is not actually following policies and procedures, those policies and procedures are not providing any value or protection to your organization. Worse, if regulators and auditors see that you have policies in place but do not enforce them, that creates even more liabilities, bad public relations (PR) and potentially higher non-compliance penalties for your organization.
  • When was the last time you updated your policies and procedures? Has it been since you last made a major organizational change, acquisition/merger, new system implementation, online product and/or service offering, etc.?

4. Training and Awareness

  • Do you currently offer data security, cybersecurity, and privacy training to all workers?
  • When was the last time you updated and provided training?
  • Do you provide ongoing reminders about data security, cybersecurity and privacy practices and policies?

5. Risk Management

  • When was the last time you performed a risk assessment?
  • Have all the findings and identified risks been mitigated appropriately? Which ones still need to be mitigated?
  • What changes in your organization have occurred since the last risk assessment? If it has been more than a year, or if major organizational, network, etc., changes have occurred, it is time to do another risk assessment.

6. Vendor and Supply Chain Risk Management

  • Do you have a vendor/supply chain risk management program as part of your GRC program?
  • If yes, when did you last update you vendor risk management program and associated policies, procedures, and practices?
  • When did you last provide training and update contracts and other associated documentation?
  • Do you consider within your program the risks from downstream vendors (those entities contracted by your vendors and otherwise used for the products and services your vendors provide to you) and how to mitigate those risks?
  • If no, when are you going to establish such a capability within your organization? Plan to do so.

7. Program Management

  • Do you keep your GRC program updated?
  • Do you know if all areas of your organization’s enterprise are following all policy and contractual requirements?
  • Do you have key stakeholders to act as point persons to support ensuring the necessary program management actions occur?

8. New and Emerging Practices and Technology

  • Does your GRC program cover new technology that workers, including third parties, are using, such as internet-of-things (IoT) devices, artificial intelligence (AI), surveillance technology, etc.?
  • Have you updated and/or created new GRC requirements and performed activities to ensure work-from-home personnel are addressed by the organization’s GRC program documents and requirements?

Answering those questions will provide insights to guide your new director’s decisions about where to prioritize actions to build or improve the GRC program, and to support establishing timelines for meeting its needs going forward.

Choose and Use Proven Frameworks

We recommend using established, widely accepted, and authoritative cybersecurity and privacy management frameworks to support your GRC program. Such frameworks should be well-vetted and kept up-to-date. They should be risk-based, and guide organizations in making decisions based on not only data and cyber risk, but also compliance risk.

A GRC leader or director should consider taking the answers and resulting work products used to determine the current state and try incorporating them into the chosen framework. The associated guidance from the frameworks can be used to plan for actions to take, support risk determinations and make decisions involving both compliance issues and cybersecurity risk mitigation. Such frameworks both help balance decisions and establish priorities.

Two sources for such recommended frameworks are NIST and COBIT.

NIST Frameworks

NIST provides multiple cybersecurity and privacy risk management and compliance guidance documents. Organizations in all sectors, of all sizes, throughout the world use NIST guidance documents. The following resources, used collectively, provide a comprehensive framework most organizations can implement (they also are generally kept up-to-date and provide a wide variety of supplemental guidance and other types of resources):

ISACA COBIT Framework

ISACA is a large, long-standing, worldwide professional membership association that has developed a wide range of security, privacy, and audit certifications over the years, in addition to frameworks used by hundreds of thousands of organizations worldwide.

Its most recent COBIT 2019 framework provides guidance to help information assurance practitioners integrate the industry standards, guidelines, regulations, and best practices in a customized way into business enterprise ecosystems.

The COBIT 20219 framework defines:

  • Components to build and sustain a governance system.
  • Design factors that should be considered by the enterprise to build a best fit governance system.

It is also flexible and allows guidance on new topics to be added.

Guidance for Setting Up a Strong GRC Program

We suggest beginning by reviewing the answers to the eight categories of questions used to determine your GRC program’s current state to help guide their areas of focus and set some associated timelines. From there we recommend using your established experience and expertise to:

  • Define the compliance, business, and IT future-state requirements for the organization. The information gathered from the exercises outlined here will provide an understanding of the organization that should help determine the best data security, cybersecurity, and privacy requirements for the organization.
  • Identify GRC technology solutions to best support the established requirements based on the organization’s current and targeted GRC maturity level.
  • Verify the functionality and performance of the draft GRC framework and supporting components by working with key stakeholders throughout the business and IT organizations.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


Find additional resources from our security practitioners.


Learn how IANS can help you and your security team.