Resilient GRC: Tackling Contemporary Challenges With a Robust Delivery Model

Governance, risk and compliance (GRC) is a framework and set of practices that help establish a comprehensive and integrated approach to govern and manage an organization. It promotes good governance practices, identifies and addresses risk and ensures compliance with relevant laws and regulations. By implementing GRC, organizations are empowered to achieve better control, accountability, transparency and sustainability in their operations.

The Open Compliance and Ethics Group (OCEG) defines GRC as an integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty and act with integrity to achieve principled performance.¹

Resilience is the capability to swiftly rebound from challenges, enabling a business to regain its form after an adverse event. Together, these principles underpin effective organizational management by providing direction, resilience against risk and ethical operational practices.

A resilient GRC model sustains organizations navigating intricate GRC challenges by fostering flexibility, coordination and agility.

Strengthening and rationalizing these processes can help improve business performance and enhance decision making within corporate governance boards. Organizations across a variety of industries can benefit from a well-planned GRC strategy.²

A resilient GRC model sustains organizations navigating intricate GRC challenges by fostering flexibility, coordination and agility. Embracing a resiliency approach enables organizations to adeptly respond to evolving regulations and emerging risk while upholding efficiency. Ultimately, a resilient delivery model bolsters GRC functions, enabling organizations to withstand disruption and ensuring a consistent track record of meeting obligations. Essentially, opting for a resilient delivery model enhances the capacity of GRC programs to endure disruptions and uncertainties, securing an organization’s lasting success in fulfilling its duties and responsibilities.

Strategic Placement of GRC: Autonomy, Integrated With IT or Integrated Within the CISO Role?

One could argue that attaining a resilient GRC model within an organization depends on various factors, such as the organization’s size, industry and overall structure. Although there is no universal solution, common placement options for the GRC function exist in situating the GRC model outside the IT jurisdiction, placing it within the purview of the IT organization or including it as a component of the chief information security officer’s (CISO) duties.

When the GRC function is closely integrated with the IT function, GRC responsibilities related to IT GRC are directly embedded within the IT function. This integration ensures more focused alignment of IT operations and GRC activities. However, the GRC organization may be clouded by bias and segregation of duties.

When GRC functions are integrated with the CISO’s responsibilities, this arrangement can help foster better alignment between security objectives, risk management and compliance efforts. This integration allows the CISO to have direct oversight and control over GRC activities, ensuring that security measures are integrated into the overall governance framework and that compliance requirements are met. However, again, the impropriety within the GRC organization may be clouded by bias and segregation of duties. At present, the majority of enterprises typically integrate the GRC function either within the IT department or the CISO’s role. However, to achieve a resilient GRC model, an alternative approach is proposed, suggesting that the optimal configuration for GRC is to establish it as an autonomous entity, independent of the IT function.

An independent GRC function typically reports to senior management or the board of directors. This model allows for holistic and objective oversight of governance, risk management and compliance across the organization, including IT-related aspects. The autonomous GRC model is the ideal approach to achieving GRC resilience in many organizations.

Advantages of this model include:

• Objective oversight—An independent GRC function can provide an unbiased perspective on governance, risk, and compliance matters, including those related to IT.
• Broader organizational view—With a holistic focus on the entire organization, an independent GRC function can address risk and compliance beyond merely IT.
• Centralized expertise—Consolidating GRC expertise into a dedicated function allows for specialization and the development of comprehensive GRC practices.

In order to enhance resilience, it is advisable for organizations to establish autonomy within their GRC functions. This autonomy is particularly relevant when an organization places a strong emphasis on compliance and risk management across the entire enterprise, going beyond the realms of IT and security. To achieve this, it is crucial to establish well-defined roles, responsibilities and communication channels. This setup facilitates seamless collaboration among GRC, IT and other pertinent departments within the organization, ensuring an effective and coordinated approach to governance, risk management and compliance. In these instances, GRC can function effectively with its dedicated team, reporting directly to executives such as the chief compliance officer (CCO).

Irrespective of the chosen model, the key imperative is to guarantee that GRC responsibilities, encompassing IT-related facets, are comprehensively attended to.

The GRC Business- vs. Technology- Driven Model

In business-driven GRC, the focus is on aligning GRC activities with an organization’s strategic objectives and overall business goals. This approach emphasizes the integration of GRC into core business processes, decision making and organizational culture. It involves establishing clear accountability and ownership of GRC responsibilities across the organization, including the board of directors, executive management and various business units. The business-driven model prioritizes risk assessment, risk mitigation, compliance management and ethical considerations as integral components of the organization’s operations.

Conversely, the technology-driven model places a stronger emphasis on leveraging technology solutions and tools to facilitate GRC activities. This approach utilizes GRC software platforms, automated workflows, data analytics and other technological capabilities to streamline and enhance GRC processes. The technology-driven model aims to improve efficiency, accuracy and scalability in managing governance, risk and compliance requirements. It enables real-time monitoring, reporting and analysis of GRC data, providing organizations with better visibility into their risk and compliance postures.

Organizations should maintain in-house GRC expertise to maintain control and oversight of crucial functions.

It is important to note that these two models are not mutually exclusive, and organizations often adopt a hybrid approach that combines elements of both. The specific choice of model depends on the organization’s priorities, resources and the nature of its industry and regulatory environment. Ultimately, the organization’s goal is to strike a balance between business alignment and technology enablement to achieve effective GRC practices. However, embracing a business-driven GRC model helps guarantee resilience because although technology plays a crucial role in supporting GRC efforts, a business-driven approach ensures that GRC initiatives are aligned with the organization’s strategic objectives, comprehensive in their risk assessment and adaptable to changing business conditions. This approach promotes a more resilient and effective GRC framework that ultimately benefits the entire organization.

Figure 1 outlines the differences between the GRC business- and technology-driven models.

The Effect of Outsourcing GRC Outsourcing

Outsourcing GRC functions can have both pros and cons. Some organizations may justify outsourcing GRC because it enables them to readily access external experts with specialized knowledge of industry trends and regulatory changes. Furthermore, when cost constraints pose challenges, outsourcing can help mitigate expenses related to recruitment, staff training and access to technology tools. If outsourcing GRC, organizations must ensure robust contractual agreements and ongoing monitoring to address potential challenges and risk that could affect resiliency.

However, overall, outsourcing GRC can also compromise resiliency. In general, organizations should maintain in-house GRC expertise to maintain control and oversight of crucial functions.

Disadvantages of outsourcing GRC include:

• Loss of control—Outsourcing GRC functions may result in a loss of direct control over critical aspects of governance, risk management and compliance. Organizations need to carefully select reliable and trustworthy service providers to ensure that their GRC needs are effectively met. Communication and collaboration with service providers are crucial to maintaining visibility and oversight.
• Cultural fit and alignment issues—Outsourcing GRC functions may introduce challenges in terms of cultural fit and alignment with the organization’s values and goals. External service providers may have different approaches, priorities or methodologies that need to be carefully aligned with the organization’s requirements and expectations. 
• Security and confidentiality risk—GRC often involves handling sensitive information, including legal, financial and strategic data. Outsourcing GRC requires strong confidentiality and data security measures to protect sensitive information from breaches or unauthorized access. It is essential to establish clear contractual obligations and security protocols with the service provider to mitigate risk.
• Dependency on third parties—Outsourcing GRC creates a dependency on external service providers. This dependency may introduce challenges if the service provider faces disruptions, financial issues or changes in their own organization. Organizations need to carefully manage relationships with service providers, including defining performance metrics, monitoring service levels and creating contingency plans.
• Lack of organizational knowledge and culture—An in-house GRC function can foster a deeper understanding of the organization’s culture, processes and risk landscape. Outsourcing GRC may require significant knowledge transfer and ongoing communication to ensure that the service provider fully grasps the organization’s unique context and can effectively address its specific needs.

What Are the Challenges With GRC?

Many organizations face challenges when it comes to effectively implementing GRC programs within their IT operations. These struggles often arise because GRC programs are developed independently, focusing on the individual capabilities of specific tools, without adequately considering their compatibility with the organization’s IT infrastructure and risk landscape. This inevitably leads to costly and complex integration initiatives or the inadequate utilization of these tools due to unavailable or inconsistent data. These consequences can be mitigated by addressing the root causes, identifying commonalities and devising remedies among threats, risk, controls and perspective measures.³ Several key challenges include:

• Complexity of regulatory landscape—Organizations operate in dynamic and complex regulatory environments. Keeping up with evolving regulations across multiple jurisdictions and industries can be challenging. Compliance requirements vary across regions, and new regulations are regularly introduced, requiring organizations to continuously monitor and update their compliance programs.
• Changing business environment—Organizations operate in a rapidly evolving business landscape characterized by digital transformation, globalization and increasing interconnectivity. These changes introduce new risk and compliance challenges that organizations must proactively manage. GRC processes must be agile and adaptable to respond to evolving business models, emerging technologies and geopolitical factors.
• Siloed approach—Many organizations manage GRC activities in separate silos, which can lead to inefficiencies and a lack of coordination. Siloed processes and systems make it difficult to gain a holistic view of risk and compliance status, resulting in fragmented efforts and potential compliance gaps.
• Lack of integration—GRC activities often involve multiple departments and stakeholders, including legal, IT, finance and operations. Inadequate integration of GRC processes and systems can lead to information gaps, duplication of efforts and inconsistent reporting. A lack of coordination between these functions can hinder an organization’s ability to identify and mitigate risk effectively.
• Resource constraints—Allocating sufficient resources to GRC functions, including skilled personnel, technology and financial resources, can be a challenge. Many organizations struggle to maintain dedicated GRC teams or invest in adequate technology solutions to support their compliance efforts. Limited resources can impede effective risk assessment, monitoring and reporting.
• Technology advancement—Rapid advancements in technology introduce new risk and challenges for GRC. With the increasing use of cloud computing, big data analytics, artificial intelligence (AI) and the Internet of Things (IoT), organizations must adapt their GRC processes to address emerging risk associated with these technologies. However, it is important to keep in mind that incorporating new tools and systems can be complex and require significant investment.
• Lack of risk awareness—Sometimes, organizations fail to adequately assess and address risk due to a lack of risk awareness among stakeholders. Employees may not fully understand the risk associated with their roles and responsibilities, leading to compliance violations or ineffective risk mitigation efforts. Building a risk-aware culture and promoting risk education and training are crucial to addressing this challenge.

In the next two to three years, a widespread shift toward the adoption of integrated operational risk and resilience programs is anticipated.

To establish a robust GRC model, enterprises should consider several key recommendations to mitigate these challenges. These include aligning GRC with strategic goals, appointing dedicated leadership, integrating GRC functions, conducting comprehensive risk assessments, implementing structured compliance programs, leveraging technology and AI capabilities, providing ongoing training, fostering a culture of continuous improvement, measuring performance, incorporating ethical considerations, designing for flexibility, establishing auditing and monitoring functions, and promoting communication and transparency. By following these recommendations, organizations can enhance risk management, compliance and overall governance, ultimately promoting resilience and success.

To rebound and seize opportunities amidst evolving challenges, organizations are adapting their GRC systems. Key trends in GRC include greater board-level involvement; integrated GRC platforms; a focus on data privacy and protection; adherence to industry-specific regulations; a heightened emphasis on cybersecurity risk management; efficient third-party risk management; a growing importance of environmental, social and governance (ESG) compliance; and the integration of automation, AI and machine learning (ML) technologies to enhance GRC processes. These trends ensure alignment with business objectives, streamline processes and bolster risk management and compliance efforts, creating resilience in a rapidly changing landscape.

The Road Map to the Resilient Development of GRC

Many organizations are consolidating operational risk management and business continuity management into a unified program known as operational risk and resilience. In the next two to three years, a widespread shift toward the adoption of integrated operational risk and resilience programs is anticipated. To achieve a thorough comprehension of risk and resilience, it is crucial to possess a 360-degree contextual awareness of the interconnections among objectives, risk, processes, controls, resilience and integrity. This requires embracing a holistic perspective that incorporates comprehensive visibility and intelligence regarding risk and resilience.⁴

As shown in figure 2, developing a resilient GRC program requires a well-defined roadmap to ensure systematic and effective implementation. The roadmap comprises a sequence of steps through which organizations are encouraged to adopt an internally led, business-focused and self-sufficient GRC model, minimizing reliance on external outsourcing and striving for autonomy to the fullest extent possible. This strategy nurtures a proactive GRC culture that is indispensable for successfully navigating the ever-changing business landscape. The steps include:

1. Define the scope—Clearly define the scope and objectives of the GRC program. Identify the areas of governance, risk management and compliance that need to be addressed, considering the specific needs and risk of the organization.
2. Establish a governance framework—Develop a governance framework that outlines the governance structure, roles and responsibilities within the organization. Define reporting lines,decision-making processes and mechanisms for oversight and accountability.
3. Conduct a risk assessment—Perform a comprehensive risk assessment to identify and prioritize risk. Evaluate both internal and external risk that can impact the achievement of organizational objectives. This assessment should include risk identification, assessment and quantification.
4. Develop risk management processes—Design and implement risk management processes and methodologies. This includes risk identification, risk analysis and evaluation, risk treatment and mitigation, and ongoing monitoring and reporting. Consider integrating risk management into existing business processes.
5. Establish compliance processes—Develop processes to ensure compliance with relevant laws, regulations and industry standards. Identify applicable requirements and establish mechanisms for tracking and monitoring compliance. Implement compliance controls and procedures to mitigate compliance risk.
6. Implement controls and procedures—Define and implement internal controls and procedures to mitigate risk and ensure compliance. Some examples of controls include segregation of duties, access controls, approval processes and documentation of control activities. It is important to regularly monitor and test controls to ensure their effectiveness.
7. Develop policies and procedures—Create policies and procedures that outline the organization’s governance, risk management and compliance requirements. These policies should be comprehensive, aligned with industry best practices and regulatory requirements, and easily accessible to employees. 
8. Establish communication and training—Develop a communication plan to raise awareness and facilitate understanding of GRC practices across the organization. Provide training programs to employees on their roles and responsibilities, risk awareness, compliance requirements and designated reporting channels. 
9. Implement technology solutions—Leverage GRC software and technology solutions to automate and streamline GRC processes. Implement tools for risk assessment, compliance tracking, policy management, incident reporting and data analytics to enhance efficiency and effectiveness.
10. Monitor, measure and improve—Continuously monitor and measure the effectiveness of the GRC program. Establish key performance indicators (KPIs) and metrics to evaluate the success of the program. Conduct regular audits and reviews to identify areas for improvement and implement necessary enhancements.
11. Enhance reporting and transparency—Develop reporting mechanisms to provide stakeholders with clear and transparent information about governance, risk and compliance activities. Establish regular reporting cycles to communicate key risk, compliance status and remediation actions to relevant stakeholders.
12. Foster a GRC culture—Foster a culture that promotes GRC awareness and accountability throughout the organization. Encourage employees to take ownership of risk management and compliance responsibilities. Recognize and reward good GRC practices and ethical behavior.

It is important to note that this roadmap is meant to be a general guide and may need to be tailored to suit the specific needs and context of each organization. Organizations should regularly review and update the GRC program to align with changing risk, regulations and business requirements.

Organization Chart for GRC Based on Functional Charter

A functional organization chart for GRC can vary depending on the specific needs and structure of an organization. In light of this, it is important to carefully consider the roles and responsibilities within the GRC framework to ensure optimal efficiency and effectiveness. Consider removing the position of CISO because all the functions typically performed by the CISO can be integrated within the GRC functional charter and be placed under the authority of the CCO (figure 3).

Figure 4 shows the proposed organization chart for an autonomous GRC model to secure the autonomy and resilience of GRC.

The autonomous GRC model eliminates the ambiguous line separating the functions of IT headed by the CIO and the IT security function headed by the CISO.

It is important to note that the size and specific roles within each team may vary depending on the organization’s size, industry and complexity. This proposed functional organization chart provides a foundation for structuring a resilient GRC department, but it can be customized and expanded to meet the specific requirements of any organization.

Conclusion

GRC plays a crucial role in today’s dynamic business environment. As organizations face increasing complexities and regulatory requirements, managing GRC effectively has become more challenging than ever before.

Current challenges with GRC include the rapid pace of regulatory changes, the integration of technology and data management, the need for a holistic and proactive approach and the growing complexity of global operations. These challenges require organizations to adopt resilient GRC strategies to ensure compliance, manage risk and maintain good governance practices.

A resilient GRC model adapts to a rapidly evolving landscape by leveraging technology, data analytics and flexible design principles. It enables organizations to proactively identify and manage emerging risk, respond to regulatory changes and ensure that compliance efforts remain effective amid changing circumstances.

Organizations aiming to enhance resilience should grant autonomy to their GRC functions, which proves especially beneficial when they emphasize enterprisewide compliance and risk management beyond IT and security. In such instances, resilient GRC can have a dedicated team reporting directly to top executives such as the CCO.

The resilient model for GRC provides a comprehensive framework that combines people, processes and technology to enhance GRC effectiveness. By adopting this model, organizations can streamline GRC processes, enhance decision-making capabilities and achieve better alignment between risk management and business objectives.

However, while the resilient delivery model of GRC offers promising solutions, its implementation requires careful planning and consideration. Organizations must invest in talent development with the right skill sets and establish a culture of risk awareness and accountability. Furthermore, continuous monitoring, evaluation and improvement of the GRC framework are essential to ensure its effectiveness and alignment with evolving regulatory landscapes.

Organizations must adopt a resilient GRC model that is internally driven, business-centric and autonomous and avoid reliance on external outsourcing. Such an approach will cultivate a proactive GRC culture essential for effectively navigating the ever-changing business landscape. Only by doing so can organizations effectively manage risk, maintain good governance and thrive in an increasingly complex and regulated world.

Endnotes

¹ OCEG, “What Is GRC (Governance, Risk, and Compliance)?” http://www.oceg.org/ideas/what-is-grc/
² Diligent, “Governance, Risk and Compliance (GRC): Definitions and Resources,” 13 July 2023, http://www.diligent.com/insights/grc
³ Gaillard, J. C.; “The Key Ingredients of a Successful GRC Program,” Forbes, 9 February 2023 http://www.forbes.com/sites/forbes-business-council/2023/02/09/the-key-ingredients-of-a-successful-grc-program/?%20sh=312b915e3dd4&sh=38cb10356543
⁴ GRC 20/20 Research, LLC, “2023 GRC Trends: Resilience,” The GRC Report Insights, LinkedIn, May 2023, http://www.linkedin.com/company/grc-20-20-research-llc?trk=article-ssr-frontendpulse_ publisher-author-card

Robert Putrus, CISM, PMP, CFE, PE

Is a professional with senior management experience in IT, cybersecurity, regulatory and internal controls compliance, managed services, global transformation programs, portfolio and program management, and IT outsourcing. He has published many articles and white papers in professional journals, some of which have been translated into multiple languages. Putrus is quoted in publications, articles and books, including those used in Master of Business Administration programs in the United States. He can be reached at http://www.linkedin.com/in/robert-putrus-cism-pmp-cfe-pe-8793256/.