Build a Strong GRC Maturity Roadmap to Align with the Business

GRC teams’ capabilities within organizations today are facing new challenges from broader trends in the industry. Recent trends affecting GRC teams in the past few years have involved pivoting to make complex decisions, be connected and stay agile. Strong GRC teams must now actively address better business collaboration, remote work standards, Environmental, Social and Governance (ESG) policies and third-party risk management across the organization. 

This piece details evolving trends and provides guidance for teams to plot them against their organization’s maturity level to build a strong GRC maturity roadmap that aligns with business objectives.  

Governance Trends 

There has been mounting pressure on GRC to improve coordination with the business and with other teams within the security function. The three lines of defense (front-line business activities, risk and compliance, and internal audit) continue to be a strong model for governance. However, siloing of the GRC function has limited its impact within security, and increasing integration with other security functions to create a common governance model is recommended. 

Forward-looking leadership should use GRC as a platform to support and align with business objectives. Teams should emphasize: 

• Aligning governance objectives with business objectives.  
• Continuing to expand the three lines of defense, while looking for opportunities to reduces silos. 
• Integrating governance with other security functions, such as IAM, incident response and business continuity.

Risk Trends

Risk reduction is a result of IT and the business taking appropriate action. In recent years, GRC has matured its analysis of risk through the application of methodologies such as Factor Analysis of Information Risk (FAIR), Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) and others. 

Yet analysis is not action. GRC capabilities must shift from reporting to achieving outcomes. This is especially crucial as organizational risk has been re-scoped to include the broader supply chain, increasing the demand on the capability. GRC teams should increase integration with other security teams and collaborate to reduce risk in measurable and cost-effective ways. 

To improve overall risk management, teams should consider: 

• Emphasizing risk reduction outcomes over risk reporting, for example, by prioritizing the time to remediate risk over assessment frequency. 
• Increasing the scope of the capability to include third-party risk.  
• Integrating risk with other disciplines. Just as with governance, risk management should be integrated with other areas, such as asset management, incident response, etc. 

READ:  How to Establish Data Ownership and Governance Roles 

Compliance Trends

Compliance requirements continue to evolve. From privacy regulations such as the EU’s GDPR in 2018 and the California Consumer Privacy Act (CCPA) in 2020, to industry-specific regulations such as the New York Department of Financial Services (NYDFS) Cybersecurity Regulation (2018) and the ongoing HIPAA revisions, the bar continues to rise. We see indications this pace will continue and accelerate in the coming years. The systemic risks 2020 identified will likely result in increased oversight and obligations and GRC teams should include the following: 

• Prepare to scale up, to meet compliance requirements and obligations. 
• Unify diverse requirements into a common framework provided in the GRC tool or using frameworks such as the Unified Compliance Framework (UCF). 
• Increase the use of automation and orchestration to enforce policy. 

GRC Roadmap Recommendations   

Shift from Reporting to Demonstrable Risk Reduction 

GRC often excels at auditing, identifying and reporting on risk. If this is not yet the case, focus on these areas. GRC functions that are excelling here, however, should shift from analysis to action by collaboratively reducing risk with other teams. To reduce risk: 

• Bring GRC objectives and key results into alignment with the business. 
• Integrate GRC services, such as asset inventory, classification and service management. 
• Develop a business case process for risk reduction, for example, by addressing concerns over increasing costs or reduced performance. 
• Improve program metrics and executive reporting. 

Staff Up for an Increased Workload 

GRC capabilities remain under-staffed, with many organizations having between one and three full-time employees (FTEs). However, the workload is likely to increase in the coming years with inclusion of third-party risk and expansion of regulations. Where possible, consider adding people to the team, and create capacity within the existing team through training and standardization. To do this: 

• Analyze and optimize the current workload. Are there tasks the team is currently doing that they can delegate or stop performing? 
• Improve standardization and knowledge-sharing through cross-training, retrospective meetings and knowledgebase documentation. 
• Invest in training and skills development to address skills gaps identified when analyzing the current workload. 

Get the Most from Your Current Technology 

The GRC market is relatively mature and is unlikely to see significant disruption requiring investment. Teams are advised to focus on getting more from their existing GRC platform. Specifically, reporting and remediation are ripe for enhancement. Teams can look at: 

• Improving dashboards and analytics to align objectives and key results with the wider organization. 
• Integrating with service management to create workflows for taking action on findings. 
• Leveraging automation and orchestration to reduce the effort involved with remediation. 

READ: Key Features to Look for in a GRC Tool  

Common GRC Roadmap Mistakes  

A roadmap tells the story about where the capability has come, where it is going and how progress will be demonstrated. Yet there are common mistakes we all make with roadmaps—from using them to list all our features or tools, to avoiding addressing broader problems in favor of addressing easier problems to solve. Some common pitfalls to avoid include: 

• Lack of alignment with peers or with the wider organization. 
• Failure to address broader concerns with the GRC: 
  • Platform concerns may involve dashboards, analytics and reports. 
  • Capability concerns may involve risk reduction, collaboration and outcomes. 
• Focus on improving technology without a corresponding focus on improving people. 
• Creating wish lists of technical features instead of a theme-based roadmap that speaks to outcomes and results.