Manage Risk with a GRC Solution

Organizations face a multitude of risks. From hackers and ransomware to regulatory compliance and oversight, many factors threaten to cause financial losses, trigger compliance violations and litigation, or otherwise affect an organization’s ability to meet its strategic and operational goals. Business leaders seeking to manage these risks find themselves facing a complex array of challenges that cross many of the traditional silos of business. Strong risk management programs require collaboration among senior executives, functional leaders, technologists, human resources specialists, attorneys and other stakeholders.

Governance, risk and compliance (GRC) solutions provide an opportunity to bring these stakeholders together around a shared body of information. By aggregating risk information into a single platform, senior leaders can get a dashboard-level look at risk across an entire organization and use that information to focus risk management efforts on the areas where they can have the most impact. 

GRC platforms are state-of-the-art in modern risk management programs, and organizations that deploy GRC solutions have numerous options. Technologies in this area range from small add-on modules for other solutions to comprehensive enterprise risk management platforms. Business and technology leaders should ask themselves four questions when sorting through these options.

It’s important to clearly articulate the goals of a GRC solution. All too often, I see organizations looking to deploy GRC technology simply because they see other businesses doing it and think that they should follow the crowd. The reality is that strong GRC deployments require a clearly stated mission. Are you trying to provide senior leaders with greater visibility into risk? Do you need a solution that will help you demonstrate compliance with regulatory requirements? Is prioritizing competing risk needs a top concern? Beginning your deployment with a clear mission in mind will help you select a platform that best aligns with your goals.

Some organizations approach GRC as an IT-centric effort that focuses on technology risks, while others seek a more comprehensive enterprise risk management program. Understanding the organization’s short-term and long-term expectations will help leaders select a platform that not only meets current needs but is likely to stand the test of time as an organization evolves.

Your organization might already have technology in place that offers GRC capabilities as an add-on module. For example, some IT service management tools provide a GRC module. If that is sufficient to meet your needs, you may find it far more cost-effective and less labor-intensive to add on to an existing technology rather than deploying something entirely new.

GRC platforms are wonderful support tools, but enterprise risk management is primarily a business process effort. If you have a mature risk management program in place, are you prepared to modify it to work with your new platform? If you don’t, are you willing to do the work required to build supporting business processes?

Governance, risk and compliance tools offer organizations a powerful approach to managing risk in a manner that minimizes costs, reduces duplicate work and prioritizes investment in risk management controls. Organizations seeking to deploy a platform can do so in a thoughtful manner by identifying clear answers to these four questions.

Story by Walt Powell, an accomplished cybersecurity expert and executive coach who specializes in providing executive guidance around risk, governance, compliance and IT security strategies. He is the executive security strategist at CDW and prior to that served as a senior security adviser at Optiv and a virtual CISO at Left Brain Security. Through these roles, he has had the opportunity to learn from and contribute to hundreds of CISOs and their programs. Powell holds dozens of professional certifications including CISSP, CISM, Carnegie Mellon – Heinz CISO, and the Stanford Advanced Cybersecurity Certificate, along with countless technical and presales certifications from top security vendors. Powell is also an accomplished musician and father who loves to spend time with his kids.