Governance, Risk and Compliance (GRC) provides an operational framework that guides all organisations
Governance provides the documented rules and regulations that the organisation should adhere to. It includes policies, standards, guidance, and processes, which can be quite broadly written or can be very detailed and specify highly detailed approaches. Generally, as an organisation matures, the governance document library does become more detailed, and gains maturity in terms of management of those documents, regular reviews and updates, and clear ownership and delivery of the actions that are specified.
Risk management is a systematic, forward-thinking approach to determine threats faced by an organisation, documenting those threats and any corresponding vulnerabilities, and evaluating how likely a threat and vulnerability is to occur simultaneously. An organisation should have a risk appetite, or risk tolerance statement, which establishes how an organisation treats a given risk and any risk management methods, which include avoiding, accepting, mitigating, transferring, sharing, and retaining.
A well run organisation documents risk assessment and management approaches as governance documents, which establishes how risk are assessed (e.g. low, medium, high), how often that event may occur (e.g. once a year, once a quarter, every week), and the potential impact on the organisation (e.g. minor, medium, high, catastrophic). This process happens regularly at different levels in an organisation, and with different impacts:
- At a board level: Members want to see that risks and threats have been documented and there are good strategic approaches written and agreed on, to appropriately manage those risks to the organisation.
- At a senior management level: Chief Officers will use the risk assessment and outcomes to direct their part of that organisation on how to deliver products and services to meet the agreed-on risk approaches and levels.
- At a middle management level: Section and Group Managers will use the direction and documented approaches to plan and deliver tactical work so that the organisation is unlikely to exceed the tolerance for risk.
- At an operational staff level: The organisational risk approach is used in day-to-day activities, as the basis for operational staff activities, and provides guidance on how staff should respond to adverse events.
Risks can change frequently, especially for an IT-based organisation, or any organisation that relies on an IT infrastructure to be able to deliver goods or services, so establishing risks, their review and (re)evaluation can be vital to long-term success.
Compliance is a process that reviews system and process controls and evaluates how well the organisation is complying with these controls. It’s like a recurring, internal self-audit, that checks some or all of the controls in place. Some controls may be identified as critical and must be checked every compliance period. Some controls may be less important and only a selection of those require testing. The outcomes of this evaluation process are used to improve levels of compliance with the organisational controls, as well as potentially being used to improve the Governance and Risk approaches for the organisation.
An established and mature GRC approach, with organisational commitment and buy-in from all levels of management and staff can deliver quantifiable and quality improvements to the operation and delivery of an organisation. Organisations that ignore or overlook their GRC requirements face the prospect of economic failure, legal or legislative repercussion, or in extreme examples, failure of the business. On the flipside, the application of sound GRC frameworks can lead to longevity and prolonged organisational success.
How does your team view its GRC obligations; as a vital component of a sound and long-term strategy, a box that needs to be ticked occasionally, or an impediment to cavalier practices that bend rules and cut corners?
If you have any questions about your organisation’s cyber security needs, don’t hesitate to contact us via contact form.
Learn more about the Intalock Advisory Service and how to protect your organisation with cyber security solutions.
Download the Intalock Advisory Services Overview – Information sheet.
If you are experiencing a cyber-attack now, contact the Emergency Hotline 1300 554 798 or