Our last discussion talked about how to present cyber and related risk information to your Board of Directors in a relevant and meaningful manner. Here we’ll explore how a GRC software platform can help organize and structure risk data from multiple sources necessary to perform this analysis to support such meaningful Board level reporting. And this journey all starts with controls!
The Detail is in the Controls
“What?!” you say? What could be more boring than controls? Internal controls can be deceiving. They seem to be little more than a “to do” list to be routinely followed. But their content represents the combined input of management, operating, physical and technical processes and practices. External controls follow a similar pattern, but often contain third party or regulatory agency-imposed standards for those resources and practices. Measuring the resources, practice attributes, and adherence to sound behavior in all these areas helps identify vulnerabilities and risk. And that’s part of what a Governance, Risk, and Compliance (GRC) platform is all about. It’s also much of what your Board’s duties and responsibilities are all about. But more on that to come.
Assurance is a Board Responsibility
GRC’s also support evaluations of assurance; in effect determining whether controls are operating as designed and are effective in doing what they were designed to do. This is an important, but sometimes overlooked attribute of risk management. There’s a tendency to presume that controls, once implemented, in fact deliver the value intended. If they do not, it is often assumed the problem requires more, not different or better followed controls. One way to check this is to survey operating areas regarding the controls they apply. Many circumstances can be addressed through a number of similar but related controls.
Some operations, based upon their own processes, might choose one set over another. Surveying controls employed, and looking for trends where particular controls are rarely implemented, may point out ones that are inordinately expensive, operationally difficult, or poorly designed. Surveys are, in many respects like risk assessments, and GRC tools can help you conduct them, gather and organize the results into useful assurance data.
Gathering this data may also be possible from risk assessments directly. Assessments of the controls applied to address specific risks already identified yield very useful information for controls management. That leads to more effective management assurance practices. And it answers an oft asked Board question: “What are you doing, and how do you know what’s not working?” Knowing what’s not effective leads to identifying vulnerabilities and risks. Assurance is important to operating efficiency, profits, and of course, to Boards of Directors.
Sound Compliance Protects Profits
Compliance is all about operating within the constraints and requirements of government and regulatory agencies, as well as meeting the expectations of contractual obligations, stakeholders, and of course, customers. It translates into following any number of specific rules and practices, which express themselves in operating, physical, and behavioral processes. Ultimately these lead to specific controls intended to make certain those processes achieve their ends. Compliance risk is evident where these controls are not found to be in force and effective. Non-compliance often leads to fines, loss of business or customer confidence, damages reputation and brand, ultimately hurting revenue and profit. The Board cares. GRC platforms have the support mechanisms to capture current compliance efforts, including remedial project states, and can co-relate any relevant audit findings to direct examinations of compliance practices.
Governance is Core
Then there is governance. Corporate governance includes rules, processes, and practices that Boards of Directors use to manage a corporation. Often it’s expressed as a framework incorporating performance measurement, plans, and controls, reflecting some overarching ethical beliefs. This whole is oriented to achievement of corporate goals and defines success. Governance is the core role of a Board. It includes risk management, which incorporates assurance, compliance, and adherence to all those practice intended to achieve corporate success.
There are a number of means to organize, group, and relate controls. They form the foundation of measures intended to evaluate performance, risk, assurance and compliance. Monitoring how well all these relevant controls are performing to support their respective operating, regulatory compliance and assurance services enables a board to effectively fulfill its governance role.
Four Critical Data Service Facets of GRC Software
GRC’s offer multiple data services, and multiple operations to source risk and performance from different perspectives… operating risk, technical, audit, regulatory, safety and incident recovery, and more. First, they provide a common database or repository for data arising from risk assessments, compliance reviews, internal and external audit findings, and operating results against performance indicators. In effect an enterprise GRC offers a consolidation “manifold” for storage of all these data views. They also often support “drill down” services so that the underlying details represented in a summary statistic or action summary may be used to navigate into the detail data underlying the summary finding or report. This lets a board member explore detail in an ad-hoc manner without need to rely upon report development support from the organization. It assures consistency and transparency in reporting, which encourages confidence in the data, and the organization.
Second, GRC’s enable relational data analysis, i.e., audit validating risk or control effectiveness reporting, relating IT metrics to operational risk, or any number of combinations developed by company staff through analysis of causal chains. This practice can lead to determination of predictive metrics, which can be a powerful tool for identifying particular risk situations, vulnerabilities, and potential strategies for addressing them. All too often operating risk, IT risk, audit, and compliance are separate silos of data, processes, and communications streams infrequently sharing or collaborating to relate data from one area to another. Enterprise GRC’s can provide a common platform allowing separate organizations to manage these discrete processes while effortlessly sharing data with risk experts who can gain value from the singular data repository.
This leads to the third benefit, strong data representational tools, fueled by the combined input streams from diverse risk, compliance and audit processes. Comprehensive and powerful data representation tools perform best when coupled with rich, complex data sources. That’s exactly the problem they’ve been developed to address. Quality enterprise GRC platforms often incorporate such data representational and analytical tools to help present complex data in relevant and meaningful management terms certain to gain and hold the attention of your Board, senior executives, and other key stakeholders.
Finally, GRC’s offer a single platform for managing communications and distribution of risk information. This frequently overlooked aspect of GRC’s is one their most important and useful services. Having great data, building clear and meaningful reporting are useless services if the results cannot be published and distributed in a controlled manner. Straightforward tools for managing controlled, secured communications of reports, presentations, action statuses, and the like deliver the value gained through the other services offered through a comprehensive enterprise GRC platform. Much of the information is and will remain company confidential. So, controlling distribution, access to exploratory tools, and past findings are important features. Communications and publication services include historical archives and repositories. They also help make sure that when new information is offered, everyone on your board is getting the exact same messages at the same time. A single source for all this information is a useful control point to assuring consistent and accurate communications management.
Coming Up Next…
So, we’ve discussed how to present cyber and related risk information to your Board of Directors in a relevant and meaningful manner. In this article we’ve explored how a GRC software platform can help gather, organize and structure risk data from multiple sources necessary to perform this analysis to support such meaningful Board level reporting. Next, in the last article of this series, we’ll offer some suggestions on the specifics of that content, that you can explore, and perhaps repurpose for your own board’s benefit in the future.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.