I was recently asked to host a round table discussion on ‘Governance, Risk and Compliance' (GRC), and I have to admit I was more than a little excited.
Why?
Because the other people around the table were leading lights in the world of Cybersecurity, Risk and Resilience, and I was looking forward to exploring how a GRC framework can work across industries and learning some valuable lessons from those around our virtual table.
I was not disappointed, and what follows are some of the key insights and takeaways that are now on my ‘To Do’ list. If you’re looking to implement a GRC framework, then I suggest they become yours, too.
Seek to understand, then be understood
It was clear from the outset that everyone was in agreement. GRC is often seen as a negative, but it has the capacity to build value and benefit if approached with that mindset. In order to achieve this, however, it was clear there are a number of challenges we must overcome.
Understanding risk is no easy task. Risk is an ethereal and ever-changing term that means different things to different people, with people willing to accept very different levels of risk. When we talk of risk, we talk in negative terms, and that places us into a negative mindset.
Therefore, when we talk to businesses, we need to be mindful of this negativity and approach risk from another direction.
Instead of asking “What are the risks involved?” or “What risks are present?,” we need to re-frame the question and ask “What are our goals?” or “What are our objectives?” Once we understand what we’re trying to achieve, we can move on to “What will prevent us from achieving this goal or objective?” and “What can we do to prevent that happening?” At no point have we asked about the risks involved, yet these questions will give us just what we’re looking for – identifying risks and formulating a risk treatment plan.
Key Takeaway: Pose the questions in relation to goals and objectives. Then remove the negative talk. Practice this on your GRC program or next big project. Ask yourself these questions, and remove the word ‘risk’ from your vocabulary. At first, it may feel a little alien, but I guarantee that it will give you the results you’re looking for.
Governance, Risk and Compliance
It was clear that there is no ‘nirvana’ at which we will ultimately arrive because there will always be risks to be considered and controlled. That is what Governance brings us, namely, the ability to have a structured and coordinated approach to the topic.
According to WPCampus, governance relates to “structures and processes that are designed to ensure accountability, transparency, responsiveness, the rule of law, stability, equity and inclusiveness, empowerment, and broad-based participation.”
It’s clearly important to have a structure that allows you to govern the risks to comply with rules, regulations, and legislation. But how do you do this? Well, there are many GRC tools available that take technical enterprise information and present it to the organization in a structured way. They do so normally through a dashboard of some kind.
But this is the easy part. Having a dashboard will only give you an indication of ‘known knowns.’ They are indicators of key topics you’re aware of. But what about what is really going on in the business?
Key Takeaway: We need to build a picture of the business in terms of locations, functions, and people as well as develop a plan where you will go out and interact with these functions to understand what is happening so that you can identify what needs to be measured. This plan is an actual living document that identifies real people in real terms. You can achieve this through effective communication.
It’s good to talk. It’s better to listen.
Communication is a two-way street and is not a passive exercise. Communication is the foundation of most successful relationships, and the lack of it leads to discord, uncertainty, and frustration. In our discussions, the board was unanimous in agreeing that it’s important to communicate the benefits of implementing a GRC program at every level of the organization and to ensure we tailor that message depending upon who we’re communicating with.
It should not be a one-size-fits all approach because different people will see the topic differently. How you communicate its importance will need to be equally as adaptive. This is where the plan developed previously will become vitally important.
Our plan should outline who you need to talk to, but we should also address how we talk to that audience. The message must be adapted intellectually, emotionally, and culturally for each stakeholder. For example, suppose you implement a GRC program across multiple jurisdictions and regions. It will be clear to the head of a function why they need to develop incident response plans, but culturally, how these plans are developed and accepted will differ from region to region.
It is therefore important to speak in a language and in terms that your audience understands. I’m not suggesting you must become multi-lingual, but certainly, having an appreciation of the multi-cultural aspects of what we’re doing is important. For example, using certain colors and terms in one country may mean something completely different in another. Make sure your message isn’t lost in translation.
Communicating the positive aspects of a GRC rather than the negatives will always be a better strategy to winning hearts and minds. Traditional approaches to risk management are akin to using a blunt instrument to hit the business over the head constantly! But we need to put away the ‘stick’ and start offering a few ‘carrots’ so that people will provide information willingly, get behind what you’re trying to do, and ultimately reach the businesses objectives.
By focusing on the positives, we shift the mindset from a negative state to one of possibility and positivity. People will begin to care about what you’re trying to achieve.
Key Takeaway: Start thinking positively. Think ‘carrot,’ not ‘stick.’ Communication is key to successfully implementing a GRC program, so work with your marketing function to come up with an internal awareness campaign for your GRC program. After all, they’re specialists at selling ideas to people, and that’s just what you’re trying to do here. We need everyone to be part of the conversation.
Conclusion: Logos and Pathos
As I conclude, you may be wondering if I had forgotten about the compliance part of the GRC program. In truth, compliance should be the bi-product of the work you have already completed. It should be ‘forgotten’ but not ignored. If we continue to look at GRC as simply a compliance tool or negative terms, we will continue to be frustrated at the lack of engagement in our businesses. This is why we need to change our approach.
I‘m not suggesting that you forget about compliance, but I am suggesting that we remember that compliance to the outside world can be a sleep-inducing topic! Of course, it’s vital that you understand what compliance means to your business and what set of standards and regulations you must comply with. But this is where your expertise comes to the fore. Translating compliance requirements into a business context and speaking about them in a positive way can position compliance and the whole GRC as a positive business enabler.
As one of our guests stated, “Focusing only on the negatives is like trying to put reins on a dragon!”
The problem we face is that GRC is often seen as a business inhibitor, almost like a ‘straightjacket’ that restricts and prevents growth. But by explaining what GRC is in positive terms along with the benefits of building a strong, secure, resilient, and compliant business, the business can thrive, not simply survive—especially during times of trouble and strife. It means that you are helping individuals to achieve their personal and professional goals as well as to place them in a positive light.
Therefore, we must have logic and emotion when communicating the importance and benefits of a GRC program. Develop an adaptable approach, and remember you need to communicate to both the rider and the dragon. Otherwise, the dragon may well fall asleep or devour you! I’m guessing neither of which is your desired outcome.
About the Author: Gary Hibberd is the ‘The Professor of Communicating Cyber’ at Cyberfort and is a Cybersecurity and Data Protection specialist with 35 years in IT. He is a published author, regular blogger, and international speaker on everything from the Dark Web to Cybercrime and Cyber Psychology. You can follow Gary on Twitter here.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.