I was reviewing an InfoSec community that I belong to on LinkedIn recently and came across a question asking for the benefits of GRC. I just happened to have launched a GRC committee within our organization, and because the thread was hijacked around an IT risk based on ISO27001, I offered the following:
Risk, is only one component of GRC and means different things to different parts of the organization. For example, I am working in the financial world. The context of risk takes a different meaning in different parts of the business. For example, the insurance company is primarily concerned with the downside of risk. By contrast, the financial community is concerned about upside benefits from taking risk. IT Risk seemingly reacts to downside risk as well. Personal behavour mirrors that. When someone buys a vehicle or property insurance, he or she is concerned about the potential of an adverse event. When that person utilizes a retirement plan’s financial tools, he or she is managing risk to maximize opportunities and seek better returns.
Notably, despite these differences, nearly all risk management frameworks and professionals agree that opportunities, obstacles and threats must be addressed in a holistic fashion to yield an optimal result. The benefit of GRC is aligning the different approaches to assessing risk by:
- identifying the obstacles and threats along the way
- assessing their potential impact
- making risk-intelligent decision, and
- implementing governance structures to ensure that the org appropriately pursues opportunities in light of those obstacles and threats
This is especially important for Enterprise Risk Managers that may not have experiences outside their particular realm of experience (which may not include IT).
- The specific GRC benefits include (according to OCEG and my experiences):
- reduced cost, as redundant activities are identified and streamline or eliminated;
- reduced need and cost for reconciling information across the organization
- reduced gaps and errors, as the integration creates a holistic system of checks and balances;
- increased quality of risk-based info on which strategic and tactical decisions are based;
- enhanced employee motivation as contribution to achieving objectives becomes more clear;
- trust resulting from consistent organizational positions and actions, from oversight through operations;
- agility driven by a clear delineation of who handles what activities in what sequence;
- more effective management of stakeholder expectations; and
- assurance that expectations and objectives are met.
Simply leveraging an ISMS will not facilitate the collaboration or buy-in necessary to achieve these outcomes, as an ISMS does not resonate the same way with all CXO’s. The ISMS would be ancillary to other GRC governance. But I’m telling you from recent successes, GRC resonates!