GRC Overview: What is GRC?

GRC stands for Governance, Risk and Compliance.  It is a framework for managing an organization’s risks and compliance requirements.  Each component with GRC serves a purpose.

Governance

These are the controls used to ensure the organization operates in an ethical and legal manner.  It generally involves policies, procedures and other documented controls that the company follows.

Risk Management 

This is the risk management framework that the entity follows.  It involves identifying, assessing and mitigating risks (both internal and external) that can impact the organization’s operations, financial performance or reputation.

Compliance

Most organizations must meet regulatory, legal or contractual requirements, which is covered by compliance.  It can also involve audits, assessments and tracking of required controls.

By effectively managing these components, organizations can reduce their risk exposure, improve their operational efficiency, and protect their brand reputation.

Common GRC Practices: How GRC Begins

Most organizations will have some documentation on policies and procedures created through the course of day-to-day operations.  These documents tend to be ad hoc and informal initially.  Once a third party reaches out to the entity with a security questionnaire or a contractual requirement to meet a compliance framework, the organization will need to quickly reassess this documentation strategy.

Once a third-party security control request comes in, most organizations realize that they do not have enough formal documentation on the policies, processes and procedures that they follow.  This is generally followed by a rapid documentation exercise where the company quickly generates this material.  The third-party questionnaire is then responded to and the company moves back into the rhythm of their daily activities.

How GRC Begins

Eventually additional third parties will begin requesting security and compliance documentation from the organization.  The organization will realize that this is a repeatable process and will push the entity to ensure that all policies, processes, and procedures are updated and maintained.  

Once companies realize that this is a repeatable process, they will begin a more formal way to document this evidence.  This normally evolves into maintaining spreadsheets with all of the controls listed, along with owners and review dates.  Someone in the organization will need to own this new GRC process and ensure that it is managed properly.  As an organization grows the GRC process becomes a full time job for a person or even a team.

GRC Tools Overview: Purpose of GRC Tools

A GRC tool helps an organization manage their GRC processes in a centralized platform.  It allows for storing, maintaining and tracking of controls.  Additionally, these tools can provide automation and even integrate with third party tools to import controls and evidence.  Let’s break down some of the core functionality of a GRC tool.

Risk Management

GRC tools allow you to create risk registers to identify, assess and mitigate risks.  They can provide automation to help determine risk scores and to notify appropriate parties of deadlines.  It also allows risks to be viewed from a centralized location.

Compliance Management

Organizations can track their compliance requirements (such as PCI DSS, ISO 27001 or FedRAMP) within a GRC tool.  The tool will identify the controls from those requirements and can point to evidence collected within the tool to show compliance.  

Additionally, many controls are the same or similar across compliance frameworks.  A GRC tool allows you to leverage a single piece of evidence to meet multiple compliance controls without maintaining duplicate data.

Issue tracking and remediation can also be tracked within these tools.  This can ensure that issues are actively managed using automation for alerting.

Policy and Procedure Management

Policies and procedures can be created and maintained within a GRC tool.  Many tools can distribute and track sign-offs on these documents.  Automation can be leveraged to ensure that documents are reviewed to meet defined requirements.

Audit Management

Audits and assessments can be tracked within a GRC tool.  Notifications can be defined to ensure that timeline requirements are met.  

GRC tools assist you in conducting audits via breaking out the tasks, providing an evidence collection platform and consolidating responses for the auditors.  Additionally, reporting on the audit’s progress can be done via these tools.

Incident Management

Many GRC tools allow you to perform incident management within the tool.  This provides a centralized location for managing incidents, reporting and even providing evidence when required.

Reporting

On top of all of these functionalities, a GRC tool’s best functionality might be providing reports.  These can be used to provide security leadership with oversight on how controls are being managed.  These can even be aggregated to show executive leadership progress in these areas over time.

Choosing The Right GRC Tool

Once an organization has made the decision that they need to move away from manual spreadsheets and leverage the benefits of a GRC tool, they need to determine which tool is correct for them.  

At ScaleSec we’ve seen companies that love their GRC tools, but we’ve also seen a few companies that are not happy with their initial GRC tool.  This is generally due to price being the main consideration without focusing on other factors during the selection process.  We would recommend the following steps are followed to ensure that the tool purchased is the proper one for your organization.

Defining Needs

One of the first steps should be to define your needs for a GRC tool.  These should cover the following at a minimum:

• Compliance requirements: Define regulations and standards you must meet
• Risk profile: Have a defined risk profile and strategy
• Size and complexity of organization: Are you growing, stable, seeking mergers and acquisitions, etc.
• Integrations: What systems do you have in place now (or are planning for in the future) that may need to integrate with the GRC tool
  
  

Defining Key Features and Functionalities

Most GRC tools provide basic GRC functionality, but some may provide additional features.  Documenting “must-have” features and functionalities versus “wanted” will help with the decision making.  A list of some of the features to consider is below:

• Risk management: Risk register, tracking, management, prioritization
• Compliance management
• Policy and procedure management
• Audit management
• Incident management
• Reporting
• User access management: i.e. reviews
• Workflow automation
  
  

Vendor Reviews

GRC tool vendors must be examined prior to purchasing.  Vendor reviews should be based on several factors that will ensure the GRC tool will be used optimally today and in the future within your organization:

User Experience

The user experience and interface should be examined to ensure:

• The user interface in intuitive and and user-friendly
• The ability to customize is available (if needed)
• Mobile devices can access the tool (if needed)
  
  

Vendor Reputation

Vendors should be thoroughly examined to ensure:

• The vendor’s reputation and track record is acceptable
  • Customer references
  • Third party ratings (ex: Gartner, Forrester) 
• Customer support meets the organization’s requirements
• Training and implementation support is provided and sufficient
  
  

Artificial Intelligence

Many vendors are embracing Artificial Intelligence (AI) and Machine Learning (ML) to help document controls and evidence, thereby reducing the compliance burden on the responsible teams.  Examining a vendor’s AI/ML strategy can be essential for future workloads.

Costs and Licensing

Costs are always a key factor when purchasing any software tool.  Several key points on costs  and licensing to consider are:

• Initial costs: Upfront costs, implementation costs and training costs
  • Consider if this is a SaaS solution or must be run on organization-provided systems
• Ongoing costs: Annual costs, user-based pricing, support costs
• Scalability: Will the initial deployment be able to scale with the organization or will additional purchases be needed in the future?

GRC Tool Conclusion

A GRC tool can provide numerous benefits as an organization grows and must meet more compliance requirements.  Most entities will reach a point where maintaining manual spreadsheets or other systems will no longer scale, becoming a significant burden to the GRC team.  This is the point that ScaleSec is seeing customers benefit the most from moving to a GRC tool.

Moving controls, policies, evidence and other documentation into a GRC tool takes planning and a long-term approach.  If you are seeking to begin automating your GRC workloads and leverage a GRC tool, please feel free to reach out to us at ScaleSec and we can assist you in your journey.