Think GRC is a complicated term and as nebulous as say, the Cloud? Well, think again! You may not have to go too far to understand what it is, as long as the context is clear. Let me simplify this for you.
GRC or Governance, Risk and Compliance, quite simply, represents your own nuclear family. Comprising of a father, a mother and children, it is the umbrella term that denotes family. Just like the inherent cohesiveness within a family, it is incumbent upon and imperative for corporates to inculcate cohesiveness for implementing organizational Security and Governance.
Governance – This used to be your Daddy, but in a changed world with gender equity becoming the norm, it could be your Mommy as well. He or she lays out the rules (overall management approach) and expects that someone senior (deputed in their absence) enforces them (management processes). These are your professors, teachers and tutors. Your parents may leave home for work in the morning but the expectation is that you will do your homework, eat your veggies and turn in no later than 9 p.m. These are the rules of engagement.
Risk Management – This could be your mother’s role. She interprets Daddy’s governance, but chances are that there are quite a few chinks in the armor, which she needs to manage before he gets home, on a day to day basis. Most of them would have to do with the child’s indiscretions.
Risk – This is the teenager who could very well be a rebel without a cause and whom the mother needs to manage.
Compliance – These are the rules or stated requirements of the house, which one has to conform to. When you’re out of compliance, you will be held accountable by your parents, will have to fess up and mend your ways. At an organizational level, it is achieved through management processes which identify applicable requirements. At your home, the potential costs of non-compliance, for instance, are gauged against qualitative measures and projected expenses; and any corrective actions are taken into consideration. For example, your mobile bill just shot through the roof or your Internet downloads and video streaming caused a hole in the family wallet. What’s the result? Severe curtailing of your privileges!
Just as the practical workings within a family are mostly qualitative in nature, so is the dearth of detailed scientific research on GRC today. The family, therefore, provides adequate context for the interplay between Security Governance, Risk Management and Compliance.