Brian Jackson - stock.adobe.com
Governance, risk management and compliance (GRC) is a comparatively recent technique enabling organisations to manage their data compliance and security. It is typically related to data security, but can also include data recovery and service-level agreements with third parties.
“GRC’s focus is on preventing the loss of data through attack or disaster, identity theft or fraud,” says Colin Tankard, managing director of Digital Pathways. “This is driven by laws and regulatory requirements, particularly about the data a company keeps on customers and employees, and who has access to this data.”
GRC encompasses the varying requirements expected of handling data. As the term implies, GRC is focused on three key areas:
- Governance – an organisation’s overall management approach using information management systems and hierarchal control structures to ensure adherence.
- Risk management – the identification, analysis and response to potential risks that could impede an organisation in achieving its goals.
- Compliance – ensuring that an organisation conforms with regulations and organisational policies in the handing of data using data management tools.
Therefore, a comprehensive GRC strategy typically involves these objectives:
- Identity management and controls of users’ access to data resources.
- Strong auditing of all access to data by both human and machine.
GRC is normally the domain of the IT team, and sometimes a compliance officer, but it rarely involves other areas of the business. It takes a governance view of risk, rather than a business view.
“Data has been placed in higher value than oil, and we, as humans, create more than 2.5 exabytes of data every single day,” says Tim Galligan, general manager of Europe, Middle East and Africa (EMEA) operations at SailPoint. “This data boom has truly created a need in the enterprise to secure and manage its own data. The more data we have to manage, the trickier it becomes to properly govern who is accessing that data, what we’re doing with it and how secure it actually is.”
Because of the increased data-sharing capabilities within organisations, GRC is now evolving into integrated risk management (IRM), which provides a far more holistic approach to an organisation’s data security procedures. “The pervasive nature of sensitive data, along with the related security and privacy issues it brings, is a drive of this movement,” says Doug Wick, vice-president of product at ALTR.
IRM is a set of procedures that enables a risk-aware organisation to use technology and strategy to speed up decision-making and performance, through human intervention and automated playbooks – used to define a scenario and then create actions from it to play out the process – to prevent a situation from spreading. “IRM offers a pre-review of risk involving the whole business before a situation occurs, but with a guide on what the business needs are dependent upon, within each situation,” says Tankard.
GRC or IRM?
GRC or IRM are not appropriate for all organisations. Companies with a large management structure and a high number of departments and employees, especially those spread across several locations and even countries, will gain the biggest advantage. Smaller organisations with a limited number of employees and departments, especially those based in a single office, are likely to find benefits negligible.
Recent research by Exasol found that more than half of the data-driven initiatives in businesses were failing. Significantly, more than a quarter of these failures were due to skill shortages – a situation that was even worse in the retail and financial services industries. The most common reasons for failures in such initiatives relate to data consolidation, data migration and General Data Protection Regulation (GDPR) compliance.
Because IRM is a more integrated approach than GRC, this provides executives with a greater over-arching understanding of the risks and opportunities facing their organisation.
One of the key differences between GRC and IRM is that the former tends to operate in isolation, or silos as it is more commonly known, whereas IRM understands that with the increased data-sharing within organisations, events in one area will have repercussions in another.
“People have started to use things like governance and compliance as ways of checking their security position,” says Tankard. “But they tend not to bring in the other aspects of legal and HR.”
For example, although cloud storage is nominally the responsibility of IT, it can affect all aspects of an organisation’s operations. Similarly, should an organisation’s employee database (which is usually HR’s responsibility) become unavailable, this can quickly become a significant problem throughout the organisation.
Greater security and regulatory oversight
Ultimately, IRM fosters a top-down, security-focused and risk-aware culture within an organisation.
The unified approach allowed by IRM gives organisations the opportunity for a more cohesive level of corporate governance. Unlike GRC, IRM inherently embeds itself within an organisation’s structure, at all levels, empowering executives with a greater understanding of what is happening, as well as enabling a swifter response to emerging threats. “Creating a culture of individual and collective responsibility helps to minimise weak links, as well as safeguarding company assets,” says SailPoint’s Galligan.
With IRM providing greater corporate governance to business practices, this allows organisations to comply with regulations better by specifying how the data is used. The resulting protocol is then disseminated throughout the organisation at an operational level.
The regulatory demands of GDPR have made security oversight more complicated, says Tankard. “GDPR is good legislation, as it has put a lot of power back to the individual about who is using our data and stops it being abused,” he says. “However, it has made it quite complicated in management terms about who should – and should not – be allowed to look at the data that organisations are gathering on users.”
Having an integrated approach allows a swift response to such regulatory matters by enabling the required individuals to have the access they need, when they need it.
Eliminating silos and improving efficiency
GRC typically has departments operating in isolation of each other, which is not only an inefficient use of time and resources, but can also lead to repetition of work, with multiple departments performing the same task. This duplication of effort can cause confusion, as well as sow distrust between departments.
“When it was just general risk and compliance, we were finding that lots of things were getting duplicated,” says Tankard. “There was no joined-up thinking, which was a real problem. We even had situations where we would have a department come to us and want to put in a monitoring solution because they didn’t really trust what IT was saying.”
Comparatively, the core benefit of IRM is that organisations can now gain a much greater understanding of their risks and the repercussions these could have as a whole. This integrated awareness provides an unparalleled opportunity to maximise efficiency within organisational structures, improve adaptability to events, and have a greater awareness of the risks faced and how they can be mitigated.
Through this, IRM inherently improves the operating efficiency of corporate operations. Rather than information being shared across multiple systems, where lag will occur, everything is shared equally throughout the organisation, allowing departments to have immediate and appropriate access to the information, as soon as it is available.
This methodology also allows organisations to highlight redundancies within their operating procedures, thereby further streamlining their workflows and improving productivity.
Finding opportunities with calculated risks
Thanks to the increased oversight offered by IRM, organisations will be able to identify new business opportunities within their existing operations.
Businesses may be risk averse, especially in these unsettled times, but IRM can highlight opportunities that balance favourably against calculated risks. The over-arching view of business operations offers an insight into the range of possibilities, both risks and opportunities, that may not have been considered before.
Given the highly competitive nature of the market, as well as the staggering rate of change in technological development, organisations must remain competitive to survive. One way to do this is by identifying opportunities and understanding the associated risks.
But for all the advantages of IRM, there remain inherent challenges in implementing it properly within an organisation.
Read more about managing risk
- Nobody seems to have a good handle on business GDPR compliance, how many businesses are compliant, or indeed what compliance really is, but according to security experts, it very much depends on who you talk to.
- Rather than handling risk management and mitigation within your organisation, outsourcing these important processes to a third party comes with substantial benefits.
- Most third-party risks are discovered after the initial due diligence period, Gartner study shows, highlighting the need for a new approach to risk management and the importance of effective access controls.
Many consider that the best time to adopt IRM is as soon as possible, to reap the benefits early. Some organisations may already have the systems in place, but will need to bring them all together so they become integrated.
“Companies don’t necessarily need to put in a whole bunch of new systems,” says Tankard. “It’s just more joining it together better than it is at the moment, rather than being little islands. You’ve got to try to resolve these islands, and the only way you’re going to do it is by integrating the management processes together and making sure you get the board together so that it meets and has one voice.
“It’s got to be immediate because things are happening now and if you’re not already doing it, then you should be thinking of streamlining it really.”
However, it is the bringing together of these systems that can be the most challenging aspect. It is particularly important to ensure all the systems become properly integrated within the new structure, as well as that each individual and department has the appropriate access to the information in order to fulfil their duties, while also maintaining the necessary data protection standards.
“It is a challenge for people when they are allocating work, because they have to be cognisant of the risks associated with that work,” says Stephen Ralph, product manager at Zarion. “There are huge demands on people to apply the right policies, to make sure that permissions aren’t broken, and that they comply with regulations and guidelines.”
Maintaining an edge requires specialist skills
IRM requires significant investment of both time and resources for it to be properly established, before benefits can be gained.
Unfortunately, because of the highly technical nature of IRM, only a limited number of individuals have the appropriate skillset. “Everyone involved in risk management must have the skills and ability to digest and understand the prerogatives of GRC and IRM,” says ALTR’s Wick.
However, there are several options available.
The first is to simply hire the required personnel, with experience of IRM adoption, in order to gain the required skillsets. This is the most capital-intensive, but also the most viable, if organisations want to adopt IRM sooner rather than later.
The alternative is to train existing staff to be prepared to adopt IRM. This can be an efficient use of capital, but there is the issue that much of the knowledge will be theoretical and not tested in practice. It also carries the risk that those employees may leave the organisation before IRM is adopted.
Finally, organisations can hire freelance consultants to implement IRM within the network. Although this is the least capital-intensive in terms of skills acquisition, it is also the least efficient in terms of business investment, because the organisation loses those skillsets once the contract is complete.
Investing such resources can be particularly challenging for organisation with limited resources, but this can be mitigated to an extent by sufficient forward planning, raising awareness of the business needs and prioritising investments.
The challenges facing organisations wanting to adopt IRM are not insurmountable, but they are there. For larger organisations, the benefits can far outweigh the risks, allowing them to become better placed to maintain their competitive advantage in the future.
“Anything that starts to pull things together and gives you a wider view, rather than it being an isolated island, has got to be the way forward because so much now slips through the cracks,” says Tankard.