Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/15/2020
10:00 AM
Matt Kunkel
Matt Kunkel
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Top 5 Questions (and Answers) About GRC Technology

For the first time in a long time, we must shift from managing localized risks against a landscape of economic growth to managing those issues under much less certain circumstances.

According to Google Trends, searches for "business continuity planning" skyrocketed on March 12, around the same time the US declared a national emergency in response to the coronavirus outbreak. The pandemic forced this oft-overlooked back-office function into the spotlight, bringing along with it economic turmoil.

For the first time in a long time, we must shift from managing localized risks within third-party supply chains, infosec, and operations against a landscape of economic growth to managing those issues under much less certain circumstances. If you haven't already, now is the time to build your contingency plan.

Business continuity plans (BCP) — and solid governance, risk, and compliance (GRC) policies, in general — can help businesses prepare for and navigate many disruptive events, including natural disasters, cybersecurity breaches, terrorist attacks, fraud, and embezzlement.

We believe in the benefits of implementing technology to streamline policies, automate processes, and create repeatable workflows so organizations can quantify risk into digestible dashboards to gain a singular source of truth. [Editor's note: The author's company is one of several providers of GRC technology.] Most businesses, we've found, have the same questions about implementing tech to strengthen their GRC programs. So we asked our customer success team, who all come from GRC consulting backgrounds, what they're typically asked.

Here's what they told us.

What should I be thinking about before implementing a GRC tool?
Before spending money on a tool intended to solve an ongoing problem, most businesses want to know what they need to have in place as an organization so the implementation will be successful. Before choosing to implement any GRC technology, it's important that organizations align people and teams to a common goal and define the existing processes surrounding GRC. One of the biggest mistakes we see GRC leaders make during an implementation is overcomplicating a process that should be simple. Don't get distracted by shiny bells and whistles at initial go-live. Instead, nail down your must-haves, build around those, and continue innovating on your processes with agility as the regulatory landscape evolves.

How does my GRC process compare to others?
Even the most sophisticated organizations, with the most beautifully defined processes, want to know how what they are doing compares to what their peers have in place. In a space like GRC, which changes by the minute to reflect industry requirements and government and consumer concerns (most recently surrounding data privacy), no enterprise wants to be left behind. In order to stay agile in response to emerging threats and proactive to prevent new ones, seek out technology that allows you to easily modify policies and procedures in your workflow without the need to pay huge consultation fees. Additionally, lean on your partners to provide templates and best practices for common regulatory or compliance workflows in your industry.

How can my organization work cross-functionally to manage risk?
Building partnerships between organizational silos is key to creating a culture of risk inside your company. A strong culture of risk, from top to bottom, is essential to the overall success of any risk management program — and it doesn't build itself. Start with identifying gaps in the existing risk culture. Involve key stakeholders and create a few core statements about the desired culture, pointing out areas of growth. Commit to those changes, and create policies and procedures that reflect a strong risk culture.

Most importantly, communicate about risk often. Educate everyone in the organization on their individual roles and responsibilities when it comes to risk management. You'll know you have a strong risk culture when all decisions align with ethical principles, and there is clear and consistent accountability of risks throughout the organization.

What should I be doing in terms of risk-scoring methodology?
Because each organization has its own appetite for risk, each organization will have to define methodology for themselves. There are many resources out there about how to score and what kind of calculations to use. A common simple calculation for risk is probability of event x magnitude of loss, where a high probability is between 80% and 100%, and a low probability is less than 30%. At the end of the day, it's up to each individual organization to decide for itself how to score risk.

How can I encourage adoption and help everyone consider risk in everything they do?
Getting the business to buy into the GRC processes leadership has agreed on can be the biggest hurdle, with the potential to completely ruin an implementation months in the making. This is why involving end users early in the build is key. Get their feedback on tool selection and customization, and encourage them to challenge the status quo in GRC. Ask questions such as "Why do we need to centralize risk?" along the way to ensure no stone is left unturned.

Feedback shouldn't stop when the tool is "live" either, as the changing nature of risk doesn't stop evolving just because a tool is in place. GRC leaders can also consider some gamification, as well. Giving users visibility into the data collected can help provide access to the bigger picture and answer questions like, "Which department is clearing the most risk capital?"

With the cost of compliance on the rise, tackling risk can seem daunting. But instead of fearing it, accept it as inevitable and shift your viewpoint to look at risk through the lens of growth. If you were able to quantify and mitigate 20% of the risk associated with running your business, what additional risks would you be able to take on to grow your business?

Related Content:

Matt Kunkel is the co-founder and CEO of LogicGate. Prior to LogicGate, he spent over a decade in the management consulting space building technology solutions to operationalize regulatory, risk, and compliance programs for Fortune 100 companies. Kunkel regularly speaks and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.