Governance, Risk, and Compliance (GRC) is a strategy to effectively manage enterprise risk in order to achieve compliance with policies, laws, and regulations.
In the financial industry, a GRC strategy aligns a financial institution’s (FI’s) organizational structure with the technology and processes that meet their business objectives. This strategy is influenced by the FI’s risk appetite statement and is often driven by the Chief Risk Officer, Information Security Officer or Enterprise Risk Management team.
This may sound vaguely familiar if your FI has a Board of Directors and Senior Management (Governance) team, a Risk or Information Security Program, and a Compliance Program. You already have the pieces you need to succeed.
But there is a way to bring those pieces together under the proverbial “single pane of glass” to make them work even better for you, your customers and members.
Throughout my 20-year career, I have seen and heard of iterations of GRC that have both succeeded spectacularly and failed miserably. Here are some pitfalls to avoid and tips to successfully unleash the power of your GRC strategy.
Not All Assets Are Created Equal
If you have ever struggled to build, maintain, list (or find!) your current information asset inventory, you are not alone.
First, what exactly is an “information asset”? What types of information assets are there?
Then, who exactly owns the asset? Who maintains the asset? How are assets tracked? How important is this asset to you, to others at the FI, to your Customers?
The answers to these questions are the building blocks of your asset inventory. A solid GRC strategy relies on an authoritative inventory of all information assets at your FI that defines asset types and their value to your organization. Every organization is different, and while information assets may be common among us—think databases, core applications, firewalls, servers, ATMs—their value depends on your business objectives.
An authoritative inventory of assets - one source of truth, official asset book of record, however you define it - will enhance your GRC strategy if you:
- Establish specific asset types – e.g. servers, software, desktop computers, networking equipment, office equipment.
- Assign owners and custodians to specific assets.
- Determine the use and criticality of each asset.
- Update the information frequently.
- Avoid multiple spreadsheets for multiple assets.
Align Risks and Controls
The concept of risk and control is not new. In the financial industry, this concept is the driving force behind regulations, policies and audits. The Cybersecurity Assessment Tool (CAT) from the FFIEC has helped us quantify cyber risks in order to apply certain controls, but it is still up to each FI to incorporate it into their enterprise risk programs.
One thing I’ve observed over the years is that it is easier to assess risks than to apply the right controls to the right risks. This has been partly because organizations must prioritize spending, but it is mostly because risks have not been properly defined and aligned with the appropriate controls.
When making business decisions we should not only ask,
“What’s the risk?”— What’s the risk of clicking on this link? What’s the risk of replacing our firewall? What’s the risk of enabling mobile deposits for customers? What’s the risk of allowing employees to work from home?
But we should also have the answer and the solution.
Then we can say, “The risk of employees clicking on links is High because we use email every hour of every day, therefore we need to (a) educate employees and (b) monitor and filter network traffic through our firewall 24x7.”
To be successful in your GRC strategy, you must establish a framework that aligns your controls based on your FI’s risk appetite, your asset size and the complexity of your environment.
- Establish enterprise risk categories.
- Determine likelihood vs. impact scales (high-medium-low, etc.).
- Establish control categories.
- Ensure your policies address and properly reflect your control environment.
- Align the necessary controls to mitigate specific risks.
- Avoid controls that do not address a specific and significant risk.
Once you connect your risk appetite to your risk and control categories, your authoritative asset inventory and your policies, you can determine what mitigation projects would follow to ensure your risk stays at an acceptable level. This best positions you for regulatory compliance.
Technology is your Friend
Like most things these days, GRC can be automated. Asset inventories, risk assessments and related information which have existed in spreadsheets for years have created a “silo” effect in many Community financial institutions. As compliance processes have become more complex, the need for automation has grown just as much as the need to eliminate the silos. We are seeing FI customers slowly moving away from spreadsheets and more towards technology solutions to manage enterprise risk and information security for several reasons:
- Financial savings: A GRC technology solution can provide accurate information on financial exposure as well as reduce the cost of risk mitigation or acceptance.
- Improved decision-making: Better planning and oversight to evaluate business requirements against your governance philosophy (risk appetite).
- Reduced guesswork and risk exposure: Identifying and implementing optimal controls to address the right risks across the entire Institution.
GRC technology also allows you to be more efficient by entering data once and leveraging it across multiple areas of focus within your information security program. For example, asset and risk information can be used for information security risk assessments, policy development, vendor management and Business Impact Analysis for Business Continuity Management in all your business units, thus eliminating spreadsheets and silos across your organization.
If you have decided that technology is your friend for GRC, here are some ways get started:
- Consider GRC Software-as-a-Service instead of do-it-yourself software you must install in your environment.
- Leverage 3rd Party expertise and consulting services to help implement a GRC strategy and technology solution.
- Prepare or refresh your authoritative information asset inventory
- Ensure you have a framework of risks and controls mapped to your risk appetite and regulatory requirements.
You have what it takes to unleash the power of your GRC strategy. Proper planning is key, collaboration is essential to ensure you are successful in delivering peace of mind to your organization and excellence in services to your customers and members.