GRC Leadership Summit 2020
Join us on September 17 to listen to the panel which I will be part of with some experts like :
Diego Souza, Executive Director – Global CISO, Cummins Inc.,
Manish Tiwari, SVP / Global CISO,
Bharti Airtel, and
Dr. Erdal Ozkaya Regional CISO and MD, Standard Chartered Bank, UAE,
discuss the quantification of #risks in business terms
Registration link : https://www.grc-summit.com/leadership-series/september
BUILDING CYBER RESILIENCE: THINKING BEYOND CYBER RISK
The ‘new normal’ of the work from home regime has put the IT and cyber infrastructure of organizations to the real test. How can data be protected, weak links be strengthened, and the overall IT security of the extended enterprise be tracked, monitored, and kept resilient to ensure uninterrupted business performance?
This edition of the GRC Summit Leadership series offers you expert perspectives and best practices on how automation and the quantification of IT and cyber risks in business terms can yield effective cybersecurity management, delivering overall cyber resilience.
For more evets :
What Is GRC ,
Governance, Risk, and Compliance Explained
GRC as an acronym stands for governance, risk, and compliance, but the term GRC means much more than that. The OCEG (formerly known as “Open Compliance and Ethics Group”) states that the term GRC was first referenced as early as 2003, but was mentioned in a peer reviewed paper by their co-founder in 2007.
When broken down, the constituent elements can be defined from ITIL® 4 and explained as follows:
The means by which an organization is directed and controlled. In GRC, governance is necessary for setting direction (through strategy and policy), monitoring performance and controls, and evaluating outcomes.
A possible event that could cause harm or loss or make it more difficult to achieve objectives. In GRC, risk management ensures that the organization identifies, analyses, and controls risk that can derail the achievement of strategic objectives.
The act of ensuring that a standard or set of guidelines is followed, or that proper, consistent accounting or other practices are being employed. In GRC, compliance ensures that depending on the context, the organization takes measures and implements controls to assure that compliance requirements are met consistently.
Drivers for GRC
Without a doubt, the biggest driver for GRC is regulation. While traditional industries such as banking, insurance, healthcare, and telecoms have borne the brunt of regulation in the past, today’s digital age is fueling a risk in regulation that touches all entities, large or small.
Use of data, particularly personally identifiable information, has huge business potential as well as risk of abuse. Therefore, governments and international agencies are paying a closer eye to how digital businesses manage data. The rise in cyber-attacks, which expose personal data, as well as growing awareness by individuals and civil rights organizations have shed new light into how companies manage information and technology through processes, people, and culture.
Benefits of GRC
According to CIO.com, benefits of GRC include:
- Improved decision-making
- More optimal IT investments
- Elimination of silos
- Reduced fragmentation among divisions and departments
A collective approach is the best bet for any organization seeking to get to grips with the ever-changing regulatory landscape. When GRC is done right across the whole organization, and the right people get the right information at the right time, and the right objectives and controls are established, then OCEG states that we can expect reduction in costs, duplication, and impacted operations.
The organization can also benefit through better decision-making agility and confidence, as well as sustained, reliable performance, and delivery of value.
The GRC approach
As has been stated before, GRC is best implemented in a holistic manner that encompasses the entire organization. This does not necessarily mean that an umbrella unit is required for coordination, even though that might work for certain types of entities. The OCEG has defined an open source approach called the GRC Capability Model (also called the Red Book) that integrates the various sub-disciplines of governance, risk, audit, compliance, ethics/culture and IT into a unified approach. The Capability Model is made up of four components:
- LEARN about the organization context, culture and key stakeholders to inform objectives, strategy and actions.
- ALIGN strategy with objectives, and actions with strategy, by using effective decision-making that addresses values, opportunities, threats and requirements.
- PERFORM actions that promote and reward things that are desirable, prevent and remediate things that are undesirable, and detect when something happens as soon as possible.
- REVIEW the design and operating effectiveness of the strategy and actions, as well as the ongoing appropriateness of objectives to improve the organization.
These components outline an iterative continuous improvement process to achieve principled performance and are further decomposed into elements which are then supported by practices, actions and controls. The actions and controls are classified in three types, which organizations can select a mix dependent on their context:
In order to address the needs of GRC, a lot of organizations are turning to technology solutions. These solutions enable the leadership to monitor GRC across the enterprise by ensuring business processes and information technology continue to align to the governance, risk and compliance requirements of the organization. Capabilities include:
- Risk management (logging, analysis, and management)
- Document management
- Audit management
However, having a tool alone isn’t enough to guarantee effective GRC. Technology doesn’t have ethics—people do. Hence GRC must be addressed from a people and process perspective, even before technology is considered.
However, technology is a very good enabler in reducing the “compliance” overheard that comes with gathering and managing records required to prove that the organization is meeting GRC requirements, without overburdening employees who should be focused on generating value instead.