How to Make GRC More Effective at Enterprises

The reason I love working with startups is that they are invested in spending their time and resources on things that generate value and are happy to adapt and shift when that is no longer the case. Enterprises are more like aircraft carriers, slow to turn, even when they are sailing towards a cliff or away from their revenue-generating continents. Enterprises can be very inefficient and, in some cases, even terrible at Governance, Risk, and Compliance (GRC) programs, because of their tools' sprawl (both GRC and non-GRC related), their systems and companies' acquired sprawl, needing to support various legacy systems and processes, and have no incentives to operationalize effectiveness. As no one can truly measure risk, compliance is performed as a checkbox exercise. Enterprises also have heavy revenue streams and locked-in customers, so they do not need to convince buyers to trust them, whereas startups are incentivized to develop effective GRC programs.

Here are some things Enterprises can and should do to make their GRC programs deliver better practical value:

• Set up a Change Agent team or an individual. This Change Agent should look at all aspects of a GRC program and also across the bigger enterprise to identify things that can be streamlined and more organized to make GRC more effective. This has to be a continuous process, think of it is continuous improvement that is part of so many cybersecurity framework requirements, except this continuous improvement is not for cybersecurity, but for GRC effectiveness. The Change Agent must have executive support and be capable of translating identified improvement options into expected time/resource savings.
• Reduce documentation sprawl. Because various teams own their specific subject areas and often have conflicting goals or priorities and can also be fully siloed due to previous Meergers and Acquisition (M&A) activities or just part of organizational structure, Enterprises always have too many places where corporate policies, procedures, standards are hosted. This is the easiest thing to fix and will make your users not hate compliance. Technical documentation can still reside in places where it is most consumable for their affected technical teams, but all corporate policies and non-technical standards and procedures should be available to all staff in a single place, regardless where they are owned by GRC, Legal, HR, or anyone else.
• Make policies and training targeted and as short as possible. Enterprises have lots of mandatory training, but it does not mean it has to be long or boring or provided to those that do not need it. Focus on things you want people to walk away from with and that actually make your company more resilient to attacks and fines. Do not train on things that do not matter. You should be able to have the key points of a policy covered in 1-2 pages. Create different policies/trainings for different groups of users depending on their job functions. Not everyone needs to understand Business Continuity, for instance, mainly just the technical folks responsible for maintaining their critical services. However, phishing and identity attacks make everyone a target, so such training be provided to all staff.
• Manage your Supply Chain risks with simpler Third Party Risk Management (TPRM) practices by coordinating with other stakeholders and teams. Become part of the procurement program and process and reduce the different tasks and checks that overlap between other stakeholder needs, e.g. your TPRM process should easily cover your IT, cybersecurity, privacy, legal, finance controls and check at about the same time, so not to slow down the process. Create a few easily identifiable tiers for your suppliers, based on specific risks to your business. Focus on what actually matters, not 300+ questions questionnaires as your method to assess supplier risks. Do not use automated vendor risk scoring that look at vendor's websites and give out non-applicable report cards based on marketing sites rather vendor's actual services. You should look into newer TPRM startups that can contextualize what types of access your vendors have and where your data is going and whether they rely on suspicious fourth parties or unchecked AI vendors themselves.
• Use automated evidence collection and organize external and internal audits to overlap as much as possible as a way to reduce evidence sprawl and audit time for involved individuals.?You can usually work out with your audit firms and customers to produce bridge letters to allow you to delay an audit in order to sync it with another audit. Audits should be scheduled in the most efficient way to reuse the same evidence for systems where you are not able to collect such evidence automatically via GRC tool automation. Part of your Change Agent program should include regular reviews of every audit and see how it could be done with less personnel hours next year.
• Set up GRC Engineering team to develop your own or adapt current GRC tools to support changing needs and support of legacy and future acquired systems. The GRC Engineering team should work hand-in-hand with your Change Agent team to continuously engineer ways to automate more evidence collection, and also to enable the GRC program with true comprehensive visibility for accurate reporting of cybersecurity, privacy, and legal risks.
• Streamline regulation monitoring and tracking by leveraging GRC Engineering and other stakeholders, such as InfoSec, IT, Privacy, Legal, to reduce duplication of effort and improve or adapt current tooling so that you can kill many birds with a single stone of the right process or tool usage. The GRC tools you are using should allow you to incorporate new frameworks that Legal or Privacy or other stakeholders identify, and you can use those GRC tools to help you identify possible gaps and to easily automate evidence for all controls that overlap with your existing internal/external audit programs.
• Work with M&A team to build GRC-readiness due diligence checks for possible acquisitions, which will provide you with key gaps and action items to enable quicker reduction of risks and embedding into current GRC practices once an acquisition goes through. Learn from every M&A and reduce time to integrate acquired companies/systems into your GRC program and onto your audit schedules and into your GRC tooling.
• Make continuous improvement a true mantra and use it for every major deployment and project.?Give everyone a way to provide anonymous feedback about the GRC program, different teams, and areas that are not working.
• Create a GRC Champions program within each business unit and find your champions as you will find common ground everywhere. You can leverage existing Security Champions programs or start your own. The key is to use this opportunity to build allies across the company, to learn more about how each team functions and their challenges, and identify opportunities where GRC can help, even if it is outside of GRC agenda. Your goal is to establish GRC as a trusted business partner, invested in every department's success.
• Work with Sales and Marketing to make Customer Trust easier for your prospects and customers to consume. This could become your way to audit yourselves and allow your customers to see your governance and even evidence to reduce the chances of customers needing to actually audit you on-site. At the very least, make your policies, security attestations and audits and some key commonly-requested evidence easy to obtain without much, if at all, human intervention. At the very best, use GRC Engineering and/or a third party vendor to share your current controls and evidence for their compliance with your prospects and customers on a continuous basis.