Importance of Soft Skills in GRC and How We Work with Others

This post has been inspired by Rachel C. as part of a Governance, Risk, and Compliance (GRC) group conversation on how GRC should work together with other Business Units. I also want to give a shoutout to the ever inspiring Ayoub Fandi , who is pushing the entire GRC industry forward. I love Ayoub’s passion and contribution to making GRC more technical, although, I believe that the soft skills more than the hard skills are needed in a successful GRC program.?

As GRC professionals, when we have technical skills, it helps us reduce the time taken by other teams to assist in configuring or deploying our GRC tooling. We can also collect evidence ourselves or via automation with these GRC tools when we know how to run them or understand the technical complexities of the corporate environments we are meant to analyze. It always helps to be able to look at the technical evidence or answers ourselves and be able to call out when the Subject Matter Experts (SMEs) may be misrepresenting their answers or when the auditors go off on an irrelevant tangent or get the wrong idea about a particular technical control, where we can explain it without needing to bring in other teams. In an ideal world, GRC programs have enough technical staff where we can operate 90% or more without involving other teams for our internal and external audits. However, without soft skills to build relationships without our company, we will never get to the hard skills making any difference.

GRC is one of the key business enablers, where we need to have the trust of the organization in order to be given full visibility into the real risks to the business, and to have our advice taken seriously in order to address those risks, both positive and negative, as we also have opportunities to contribute to the company’s growth and improve efficiency across multiple teams and operations. The soft skills allow us to build relationships with the executive leadership team and with the individual contributors and SMEs.?

A GRC program is basically all about cross-functional program management, as we have a lot of responsibilities, but do not carry authority to enforce positive behavior in most cases. We rely on our relationships with teams and individuals to help them understand how their actions can help both us and themselves to make the company more resilient and bring in more business. If all we have are technical skills, we will not be able to make any headway. Our soft skills are needed to understand the unique needs of each team and find common wins for each of them.

Here are some reasons how GRC needs to work together with each business unit:

• DevOps and Research and Development (R&D): this is where our companies really make money and usually what customers and often regulators care about. We work with DevOps and R&D to ensure proper Secure Development Lifecycle and other development and deployment controls are implemented in accordance to business risks and needs for efficiency. We also rely on DevOps and R&D practices for most of our audit evidence.?
• Finance: we work with Finance to ensure proper vetting of vendors and for building a solid procurement program with solid Third Party Risk Management (TPRM) that can meet all necessary business needs. We also need to manage risks in terms that Finance understands and to make recommendations in relation to how such risks can positively or negatively impact the company’s bottom line.?
• Human Resources: we work with HR to get a current list of all staff and all terminated staff, to ensure proper employment screenings are performed, and to deploy training and sanctions for non-compliance where necessary.?
• IT and Security: we rely on IT and Security teams to configure our GRC tools, to deploy appropriate security tools and relevant technical controls, to produce the evidence for audits and validation of risks, if not fully automated within GRC tooling, and to help us understand the current IT and Security goals and technical risks.
• Legal and Privacy: we track and manage compliance with relevant regulations and develop comprehensive GRC programs in order to reduce deviations between various frameworks and legal and privacy standards, so we can help the business focus on the right elements.?
• Marketing: we leverage Marketing’s resources to tout our compliance program, and possibly preempt customer due diligence. We also work with Marketing to ensure what we publish is technically and legally accurate (no, SOC 2 is not a certification). We also work with Marketing and Sales to ensure proper processes are followed when prospecting and collecting personal data to prevent GDPR and other similar violations, or at least work out a practical risk approach to which practices are impactful enough to continue with, while minimizing their risks.
• Product: we work with the Product team to keep all major design and product features compliant with relevant regulations and acceptable risks, and to make certain that there are no risky technologies (e.g., AI or unvetted software) or questionable product features that are deployed without our knowledge.?
• Sales: everything we do is ultimately for the Sales team, as our role is to convince customers that we can be trusted and ensure that trust is maintained, while managing our company’s and our customer’s risks. We work with Sales to develop a faster process to turnaround customer’s RFPs and RFIs, to review and negotiate contract terms, to keep track of which new customer requirements must be tracked and evidenced for possible audits. We also need to ensure proper OFAC and sanctions vetting of our customers, prospects, and partners without slowing down the business.?

Our soft skills help us to communicate and understand each business needs, and our technical skills allow us to analyze how different teams could work together and what common problems they share, in order to bring more value to our companies on top of specific Governance, Risk, and Compliance wins.