Managing Compliance and Complexity: A GRC Call to Action
Seven tips to improve business value along with risk, ESG, business and technology strategy
Friday, March 3, 2023
By Robyn Marsi
Many governance, risk and compliance (GRC) teams are being asked to find creative ways to do more with less and demonstrate more business value. This will force them into a difficult juggling act. Poor economic conditions are expected to result in an increasing number of cyberattacks. The pool of technically trained resources is shrinking, making it harder to retain top GRC talent.
Maintaining compliance is a constant battle in a complex regulatory landscape. And new requirements, like environmental, social and governance (ESG), create more issues for GRC teams to tackle.
To help organizations accelerate, simplify and strengthen GRC as a value-driven framework that keeps the business on track and operating efficiently in 2023, here are seven tips to consider.
Keep a business first perspective. Understand the business you are in and the risks that come with the territory. This means not only understanding technology requirements, but also the regulatory environment, competitive landscape and your company’s own internal processes. To do so, you need to find your seat at the executive table. Make a 2023 resolution to build better relationships with business leaders and gain a clear understanding of your business’ risk appetite. Demonstrate value by creating and implementing risk strategies that align with your company's overall goals and objectives.
Robyn Marsi of Lynx Technology Partners
Prioritize risks based on business criticality. Risk assessments should take into consideration external risks such as cyberattacks or data breaches and internal risks that result from outdated systems or employee errors in the context of business objectives. Whatever methods you use to perform assessments (e.g., interviews, focus groups, surveys or data collection), be sure to collect the information you need to analyze the likelihood of each risk occurring, the business impact and the level of control you have over mitigating it. Complete regular assessments to keep the program up to date and relevant. Conduct a stakeholder analysis to identify which individuals or groups may be affected by risk decisions, then proactively communicate any impacts.
Continuously manage risks. After prioritizing risks, you will need to develop the right plan to manage them. Your risk management plan should include both short- and long-term strategies for dealing with each risk category. The goal of your plan should be to minimize the business impact of each risk while still allowing the company to continue to operate effectively. Review and update the plan quarterly to keep up with changes in the GRC landscape and continuously maintain an effective risk management strategy.
Keep a pulse on global requirements. Maintaining ongoing compliance can be difficult. To do so, you must continuously monitor the company’s security posture against global regulatory requirements and industry best practices. A robust compliance management system can help you track and manage global compliance data. Also, investments in quality resources, such as industry reports and newsletters, can help keep you up to date on any changes. Reviewing sites like the World Customs Organization, subscribing to email alerts or RSS feeds, and using technology solutions to automate and manage compliance processes can be useful too. When in doubt or short on time, ask an experienced attorney or compliance consultant to help navigate changing regulatory landscapes.
Incorporate ESG into GRC. A wide range of stakeholders are looking at corporate ESG performance, which means you should be too. ESG refers to the examination of a company’s environmental, social and governance practices, their impacts and the company’s progress against benchmarks. Much of this responsibility may fall squarely on your shoulders. There are a number of ways to incorporate ESG into a GRC program. One is to create an ESG policy or framework that outlines the actions your company will take to address these concerns. Another is to integrate ESG data into existing risk management processes. For example, you can establish key performance indicators (KPIs) related to sustainability and report on them regularly.
Find the right resources. While the talent pool of good security trained technical resources is shrinking, the number of attacks and GRC concerns are growing. It is important to find IT men and women specifically cybersecurity trained to handle the deluge of evolving threats. GRC can be a complex and time-consuming task, but it is essential for any organization that wants to operate in a compliant and safe manner. To save time and money while still maintaining a high level of compliance, some businesses are turning to GRC as a Service (GRCaaS). Knowing that all compliance requirements are being met using proven technologies and people can provide you with peace of mind and more measurable results.
Be a GRC champion. The ever-changing GRC landscape requires a strong and agile leader. You must be responsive to the demands of a competitive business while not losing sight of growing threats and evolving compliance requirements. Professional organizations can help you cope with changing demands and develop the soft skills you need to succeed. Many professional organizations offer continuing education and certification programs that can help you stay up to date with the latest security strategies as well as self-assessment tools you can use to identify target areas for self-improvement.
Treating GRC as an afterthought because executive leaders don’t understand the value of GRC wastes time and money, burns out resources and puts the business at risk. Translating these tips into action can elevate governance from a little “g” to big “G”.
It’s time to deliver measurable business value by integrating risk considerations into business decision-making, reporting on risks and the business impact across all lines of business, and making compliance a seamless part of day-to-day operations. These actions will not only strengthen your GRC programs, but also unify operations, boost efficiencies and lessen the burden on resources.
Robyn Marsi is senior director, Risk & Technology Services, at Lynx Technology Partners. She has over 33 years of experience providing strategic direction and program oversight in developing and delivering large-scale enterprise and international solutions. She has worked primarily in the financial services industry, successfully implementing GRC programs and technology platforms on an enterprise-wide basis, and was part of a team recognized by RSA, the host of the largest U.S. cybersecurity event, as an Industry Leader with three awards in two years.