In our last blog, ‘can GRC keep up’, we discussed the limitations of the traditional GRC tools. So, the question now becomes, what is needed to address modern risk and compliance challenges if GRC isn’t enough?
One of the biggest issues with traditional GRCs is that they impose a compliance or maturity-based approach to cyber security. Why is this an issue? Because blindly implementing controls or showing compliance with regulations and standards does not make you secure, nor does it allow you to prioritize implementation of the mitigating controls effectively. For example, let’s take the popular international Standard, ISO 27001 - there are 114 controls in Annex A, but some are more critical than others across different parts of your business, so where would you begin? It all comes down to knowing your business and the risks you face, not just simple compliance.
This is where risk-based approaches shine, providing direction and prioritization based on the actual risks effecting the business. These approaches still support the compliance needs of your company just with a more holistic perspective based on risk. As result, you are able to not only implement a more effective strategy which reduces business risk at lower overall cost, but you can also justify that strategy and its investments to the Board.
It is down to CISOs and other security leaders to communicate risk and compliance to executive management, which is another area traditional GRC comes up short. Management Consulting firm, McKinsey noted that current GRC reporting is too technical and detailed– as a result, boards are not getting the information they need to make informed decisions. In fact, only 27% of organization felt ‘very comfortable’ that the Board is getting adequate reporting on cyber and privacy risk management metrics’ (PWC, Digital Trust survey 2018). This can be overcome by speaking in financial terms and aligning cyber security initiatives with the overall objectives of the organization.
GRC has always been quite ambiguous and subjective when it comes to assessment of cyber risk. Quantification, a critical tool in understanding cyber risk is not available through traditional GRC. Quantifying cyber risk provides organizations with the power to understand risks across the organization, prioritise efforts and demonstrate RoSI (Return on Security Investment). This data pinpoints security weaknesses and control ineffectiveness to help prioritize remediation efforts and allocate resources. This is arguably one of the key differences between traditional GRC and more modern, risk-based solutions.
The other notable difference is that integrated approaches feed off data from other systems to provide a holist view of risk. It recognises that there will be other sources of information which can influence the risk profile and takes this into account (such as vulnerability scans, threat intelligence, test results, incident data and audit findings), unlike traditional solutions where these systems may be disconnected. The holistic, contextual picture that is created when all relevant data is brought together is a powerful tool for greater understanding of risk and improved risk-based decision-making. Where possible, automation is used to reduce manual work and integration with other systems within the organization allows data to be uploaded in real-time.
Gartner analyst, John Wheeler argued that: GRC May Keep You “Out of Trouble”, But IRM Will Keep You “ In Business”
Risk-based approaches more closely focus on risk to provide actionable business insights, as opposed to GRC which highlights the technical risks with little or no context. Risk-based approaches emphasize the need for a coordinated, holistic view of risks across the enterprise in relation to business objectives and performance.
Risk-based approaches go beyond GRC’s simple logging of risks and measuring compliance. It is ultimately designed to improve decision-making by having a single source of truth, consolidated, consistent and aggregated across all internal business units and the supply chain. Both historic and real-time data is available to highlight current weaknesses, potential danger and maturity. As a result, you’ll sometimes see these approaches referred to as Integrated Risk Management (IRM).
IRM aims to bridge the gap between IT and the rest of the business whilst meeting compliance obligations.
More recently, McKinsey introduced the term ‘Cyberrisk - Management Information Systems’ (MIS) which seeks to get cyber risk on top of the board agenda by presenting factual, objective data. Similarly, to the IRM, this takes a risk-based approach to cyber security, but it focusses more on the role of cybersecurity within an organization, rather than the broader umbrella ‘risk’.
By taking an integrated risk management approach, organizations can reach higher levels of program maturity and deliver real value in the form of stronger performance, increased resilience, better assurance and more efficient compliance.
We welcome you to join Acuity Founder and CEO, Simon Marvell and Principal Consultant, Andy Boden on our upcoming webinar: 'Beyond GRC' (August 5th, 4pm BST / 11am EST). They will be comparing traditional vs modern Integrated Risk Management solutions and explaining how you can build improve your risk management program to improve transparency, drive decision-making and communicate that information to the Board.