How to Develop an Effective Governance Risk and Compliance Strategy

As businesses grapple with multifaceted risks, developing an effective governance risk and compliance (GRC) strategy has become paramount.

An effective GRC strategy helps organizations in two ways: Aligns cybersecurity and compliance goals with business goals; and helps them adapt to greater regulatory oversight including the SEC’s new requirements for cybersecurity disclosures.

A comprehensive GRC program should include a roadmap to address known business risks, contractual obligations, technology challenges and government and industry regulations. Once business goals and risks are identified, organizations will be in a better position to select and implement the appropriate technology in line with GRC strategy and requirements.

Technology -- and AI in particular -- can enhance GRC by automating tasks, providing sophisticated data analysis and enabling predictive analytics, which can ultimately improve operational efficiency.

Aligning Leadership on GRC

Gal Ringel, CEO at Mine says to keep GRC strategy aligned with business goals, organizations first need leadership to align on its prioritization. “Compliance has for too long lived in a niche corner of business strategy, but with the AI boom bringing new outsized challenges to the GRC world, every department in an organization needs to understand and be aware of the day-to-day work involved in risk and compliance,” she explains in an email interview.

Related:Solving the Non-Invasive Data Governance Puzzle

From there, organizations must look to regulation and anticipate how it will evolve to manage risk and compliance.

“From that regulatory starting point, organizations must monitor technological innovation and go to their customers to see how they want to see products evolve to keep pace with the GRC challenges innovation brings,” Ringel says.

She adds with the value of data and vast public support for data privacy, opening yourself up to unnecessary risk is unacceptable in today’s business environment.

“For companies that demonstrate they are on the cutting edge of prioritizing and handling risk and compliance, trust and brand loyalty will follow,” she says. “It’s no accident that Apple ran a 2019 marketing campaign centered around the theme ‘privacy matters’.”

Overcoming Silos, Fostering Communication

Teresa Rothaar, GRC analyst at Keeper Security agrees the first step for GRC professionals is to obtain executive buy-in on GRC initiatives early in the process.

“Overcoming silos and fostering communication needs to begin at the top,” Rothaar, says in an email interview.

Furthermore, aligning GRC goals with broader business objectives ensures both executive management and individual departments recognize the impact that GRC initiatives have on organizational success. 

Related:How to Get Your Failing Data Governance Initiatives Back on Track

“Promoting a culture of communication with open dialogue and knowledge-sharing is essential to a successful and efficient GRC strategy,” she says.

Ringel says organizations need to promote awareness and engagement with risk and compliance, because they influence every member of the organization.

“You are only as strong as your weakest link when it comes to risk, so making sure everyone is on the same page and treating risk and compliance smartly is key,” she explains.

Compliance is less directly obvious, but if those values are not communicated through every department--product design, development, customer support, marketing, and sales -- the end product will reflect that disconnect.

“Not every employee needs to know specific regulations, but everyone needs to share the values of data governance and compliance,” Ringel says.

Gopi Ramamoorthy, head of security and GRC engineering at Symmetry Systems, says a well-organized, unified and disciplined GRC approach is the key for efficiency, cost effectiveness and fundamental for business growth over competitors. 

Related:4 Top Data Management Challenges (And How to Conquer Them)

“In general, the organizations that have required and adequate compliance certifications will have an easier time to win the contracts and close the business deals from the potential customers including state run agencies,” he says in an email interview.

He notes many compliance frameworks have substantial overlap of controls.

“Unified control implementation and tracking will bring cost and operation benefits to the organizations,” Ramamoorthy says.

Adopting AI to GRC

Ramamoorthy says AI can be useful in analyzing data from continuous monitoring systems, collecting evidence from multiple sources, putting them together in required format and creating required compliance documentation.

“AI could also be useful in alerting or predicting the potential compliance gaps or deviations,” he adds.

Padraic O’Reilly, chief strategy officer at CyberSaint, says AI can play an instrumental role within GRC, noting natural language processing is already leveraged to comply with new standards, speed reporting, and manage cyber risk.

“Soon, AI will make substantial contributions to cyber risk management, which is a complex problem comprised of disparate data sources,” he says.

While IT has historically been a black box to the enterprise due to technological complexity, AI, coupled with automation, can use multi-source data to provide near real-time insights.

Multiple AI models come into play here: Granular neural networks will handle massive datasets and generative models will provide insight in more human-readable formats.

The near real-time part of this is significant. Until very recently, most risk assessment in cyber was done on older datasets, which was a severe limitation, O’Reilly says.

“Attacks and the attack surface change daily,” he says. “The real leap forwards AI and automation represent is the ability to take disparate data, feed it to risk models, and provide insights that are much more accurate because they reflect the current posture with higher fidelity.”