GRC - Governance Risk Compliance
Governance understood as an organizational model covering the organization’s strategy, goals and processes, resources, organizational structure and communication, is responsible for the proper functioning of the organization. Proper, i.e. in line with the expectations of owners, customers, regulators and legal requirements.
For many years, risk management has been gaining popularity as a method of managing an organization. It focuses on identifying events that have a positive or negative impact on the organization and assessing the impact. The result of the risk analysis should be security measures that minimize threats to the organization, measures to take advantage of opportunities and risk monitoring mechanisms.
Compliance includes mechanisms of ensuring compliance with legal requirements, standards and norms, as well as other requirements, e.g. contractual. Starting from the analysis of requirements, which answers the questions of what requirements we have to meet, the assessment of fulfillment, for which we often use internal audit, ending with improvement.
All these elements integrate perfectly. The area of governance is responsible for defining the organization, i.e. the relationship between resources and their involvement in the activities carried out by the organization. Organizational activity is subject to certain uncertainty resulting from the inside of the organization and the environment. The analysis of this uncertainty and its impact on the organization is the domain of the risk management area. It provides information on how our corporate governance is adjusted to meet the requirements of customers or owners. Conformity assessment provides us with information about the actual state of affairs, i.e. discrepancies between the adopted order and the actual functioning of the organization. In addition, it uses risk mechanisms to analyze risk, non-compliance and implement improvement actions that affect the internal order of the organization.
There are many definitions of risk, but the most important elements of these definitions are always uncertainty and destabilization related to the occurrence of an event. It does not matter whether the event is awaited by us and is the driving force of our actions, or on the contrary, it is unexpected and inhibits or destroys our organization.
It seems to us that risk is something fleeting, immaterial, and thus incomprehensible to some. We often talk about risk:
- strategic – related to difficulties in implementing strategic plans,
- process – regarding the implementation of the process goal,
- information security – relating to the loss of confidentiality, integrity or availability of information,
- and many other areas such as health and safety, quality, environment etc.
So where do the problems with risk come from? As long as we talk about the risk associated with a certain abstract entity such as a goal, process or information, adding uncertainty to it and trying to determine how to manage risk, we will have difficulties.
The goal has a measure – an indicator, it has a specific time and expected values, but to achieve the goal, we must take action and engage resources. The process is a certain logic related to the implementation of activities and the involvement of resources. Information is related to its carrier and all threats to information are associated with it. Resource in the process and project, information carrier are the assets of the organization, and include people, technologies, machines, devices, ICT systems, rooms, etc.
As we move from risk analysis to asset level, life becomes simple and it becomes obvious to identify events and propose risk actions.
Therefore, let’s not think about what risks we will assign to a given goal, process, information, but pay attention to what human resources, IT systems, devices and rooms are necessary for us to achieve the goal, carry out the process, process information. This is where you should look for risks and solutions.
A simple assessment of probability and impact can be quite subjective, and weighted with the conviction of the evaluator. That is why it is worth to go down one level in order to objectify our assessment.
In order to assess the probability of an event, of course, apart from analyzing the environment, it is worth using the vulnerability analysis. Vulnerability analysis is to show where the weaknesses of our organization, our IT systems, our employees and our devices are. The condition of the technical park, the IT technologies used, the awareness and experience of our employees, participation in a mature logistics chain, all of this has an impact on the probability of events, failures, errors and incidents. Therefore, the assessment of resources by the owner, business coordinator, is a very effective tool for the state of resources, and this directly affects the probability. Vulnerability analysis carried out in the ICT area, often with the use of scanners and vulnerability analysis tools, reveals how secure our ICT infrastructure is. If our systems are properly managed by granting permissions, updates, backup, proper protection inside and outside the network, it will have a significant impact on minimizing the occurrence of failures, intrusions and other incidents. In addition, it will be a factor that will allow us to take advantage of the opportunities that arise in our environment.
When assessing the effects, it is worth paying attention to the security element. Even acting intuitively, we try to protect against the occurrence of threats. We build fences, close doors, design access zones, and often use security services. All this to feel safe. Do these security measures eliminate the intrusion event? No, but they limit them quite significantly, as long as they are effective. Because what if the fence has a hole, the door is ajar due to the lack of a key, the security zone is turned off because it made it difficult to move around, and the security guard is sleeping?
Assigning a security or elements that may affect the use of an opportunity to a given risk factor and assessing the effectiveness of these securities and mechanisms allows for the verification of the actual impact. In addition, our organization builds knowledge about what assets constitute security for other resources and what will happen if we give up something.
Uncertainty is difficult to quantify, and this is what risk is, a measure of uncertainty and its consequences. To quantify the risk, it is worth estimating how likely the event (chance, threat) that affects us is. Of course, the probability scales can be very different (point, number, percentage). Another useful measure will be the assessment of the impact of this event on our organization. When assessing the impact, we can use many areas of impact: financial, legal, image and many others. We can calculate the effects in points, in money, or analyze them over time.
What will arise from the product of the measure of probability and effect will be the value of the risk, which is worth embedding on the risk cube in order to evaluate it. In this way, we obtain a risk dimension.
An objective risk analysis process based on resources largely affects the effectiveness of planned and implemented risk management activities. Planning at the level of goals, processes and information, we would again move in a rather abstract area. Going down to the level of resources, it is much easier to indicate specific actions that eliminate the vulnerabilities of individual resources, improve the effectiveness of the security measures held, or introduce new security measures. Our action plan should be specific and resource-specific and therefore have an impact on the likelihood or effect of a risk. The plan should be subject to ongoing monitoring, and the best assessment of its effectiveness, apart from audit and testing, is a re-analysis of the risk.
We automate both processes including internal audit and tests or vulnerability analysis. You can read more about it:
We make the risk management area, regardless of the risk entity: operational, security, continuity, GDPR, etc. integral and consistent.
The risk management process is the subject of many studies, standards and methods. It is worth mentioning ISO 31000 or ISO 27005. These standards describe the course of the process, but we make sure that the process is as common as the risk itself. This means that as many employees as possible participate in it, which allows for building awareness and disseminating risk management mechanisms in the organization. We often witness that the process is conducted by several experts, but the most effective is the participatory approach – “I take part, I feel responsible”.
The process should include determining the context of the organization, i.e. certain assumptions describing our way of operating. It is very good to make references to the strategy, which should be the basis for the description of objectives for processes and projects. If the process does not cover the entire organization, it is worth describing the risk context, i.e. the area which the analysis will concern.
Risk identification, assessment and analysis, calculation method and a set of methods for the identification of vulnerabilities as well as evaluation of the effectiveness of security and possible aggregation of risks are components of the process. It should not be forgotten that the process should include a mechanism for planning activities, their monitoring and evaluation of effectiveness.
The process should also ensure integration within the internal governance and compliance assessment processes, e.g. internal audit. You can read about the integral approach to GRC here
The last but no less important part of the risk management process is the incident management sub-process. Risk materialization is a natural phenomenon, we must be prepared for the occurrence of a risk factor and its materialization, and thus for the consequences. The response and taking action in the event of an incident is important from the point of view of risk management and building knowledge about the actual effects of its occurrence.
Effective risk management requires tools. Involving employees in identifying and assessing risk, disseminating risk maps and registers, or monitoring activities requires an effective tool enabling process automation, ensuring timeliness, aggregating results and preparing feedback in the form of dashboards and reports. Among the many available on the market, it is worth using those that allow for unlimited cooperation and communication with licenses, the logic of which allows you to carry out risk analysis in many areas, in accordance with the requirements of law and international standards. In large organizations, capital groups and holdings, mechanisms of risk aggregation within the business line, process, area, requirements and reporting tailored to the needs of financial supervision and legal requirements will be important.
Related blog articles
Krajowy System Cyberbezpieczeństwa to wymagania dla operatorów usług kluczowych oraz usług cyfrowych. Czym są te wymagania opisane w dość oszczędny sposób w Ustawie? Co mówi sama ustawa o tym jak zapewnić bezpieczeństwo i ciągłość realizacji usług kluczowych?
Częstym problemem organizacji jest zapewnienie efektywnego i gwarantującego właściwą rozliczalność kanału komunikacji wewnętrznej, np. związanej z realizacją praw podmiotów danych, czy zgłaszaniem i obsługą naruszeń ochrony danych osobowych
Ile faktycznie zajmuje identyfikacja i realizacja praw podmiotu danych? Czy nasz rejestr czynności wspiera realizację praw? Czy potrafimy automatyzować procesy realizacji praw podmiotu danych?