Food for Thought? GRC!
Sun, 10/31/2010 - 8:00pm
A famous Hannibal once said “I ate his liver with some fava beans and a nice chianti.” Wait! Scratch that. Wrong Hannibal. Now picture this: George Peppard, the A-Team’s John “Hannibal ” Smith, smug, suave, cigar in mouth, intoning the catch phrase, “I love it when a plan comes together.” He could have been talking about GRC – governance, risk, and compliance – because in the GRC stew, lots of plans are coming together, or at least they should be.
GRC and BCP are more than a couple of acronyms; they’re both potential superstars, standing by to serve up corporate glory and good fortune. And if BCP is prime time’s Peppard, than GRC is Oscar winner Anthony Hopkins – Sir Anthony Hopkins, A-List and higher up the corporate food chain than BCP might ever be. That’s because GRC speaks more directly to what executives care about – the bottom line.
Some experts say that aligning with GRC is the way to go for business continuity professionals, suggesting that such a partnership may even get BCP a seat at the table with the big boys. That may be so. But you’d better be ready when you get there, or they just might have you for lunch ... with a nice chianti.
What do you need to know about GRC? Read on and find out from Kevin Hall, president of Global AlertLink, and Tejas Katwala, CEO of Continuity Logic.
CI: GRC? That’s a new acronym for me. What does it mean and what should it mean to me?
Kevin Hall, Global AlertLink: If governance, risk, and compliance (GRC) is a new acronym for you, then it may not be relevant to your job or you really need to get up to speed quickly. I encourage you to discuss GRC with your risk management and compliance departments. Make sure that you understand from both how your area integrates with their groups. We often see the silo effect, where business continuity and even disaster recovery work almost in a vacuum. If you do not know about GRC, then chances are your structure may utilize this silo approach.
GRC varies from organization to organization, but it is really a product of convergence. As organizations reviewed the three components and as environmental areas began to change (i.e. SOX), the overlap and synergies among them became clear. The three areas began to converge. I believe we are still in the earlier stages of this convergence and that the radius of this convergence goes well beyond what most relate directly to governance, risk, and compliance. Today, we see how business continuity, disaster recovery, emergency response, and security all fit nicely into these areas.
I believe that the convergence of GRC is a great example of the path that BC, DR, EM, and security are on. If you are in continuity or disaster recovery, you must understand how your organization governs, how you are helping it manage risk, and what you must to do ensure its compliancy. I would start there and then continue the dialogue with your counterparts in risk and compliance to discuss ways of increasing integration and convergence.
Tejas Katwala, Continuity Logic: GRC, or governance, risk, and compliance, is a powerful enterprise activity that presents organizations with the ability to enhance their value by integrating separately “silo-ed” activities that encompass people, process, and technology. These activities include establishing organizational priorities such as managing risk, allocating assets, and setting policies. Examples of policies are information and business continuity management policies.
Organizations will realize greater efficiency and effectiveness with an integrated GRC system in place. While the term GRC is sometimes used by compliance officers, risk officers, or auditors, GRC is best understood when each of the elements of GRC are broken down. Governance provides a common framework to help manage the federation of organization roles, policies, and processes. Risk is used in many different ways, from a simple risk assessment to a full-blown enterprise risk management process. In either case, a well-instituted risk management process will help an organization identify and prioritize:
• Reputational risk
• Financial risk
• Operational risk
• IT risk
• Assessment of the above as impacting achievement of corporate objectives
• Utilization of a set of controls and tools to reduce or avoid risk
• Tolerance levels within each risk category that reflect the level of acceptable risk for the organization to assume.
Compliance entails establishing a process to document procedures and controls to adhere to internal and legislative regulatory requirements as well as monitor policy initiatives. Having an integrated GRC system in place is an excellent business practice for compliance and continuity managers as well as practitioners. It also will help those individuals and their organizations ensure operations are sustainable and conducted in an ethical, legal manner.
CI: How do GRC and BCP relate?
Hall: Again, GRC is different in every organization. I have encountered all sorts of structures where the relationship between GRC and BCP vary significantly. I have seen structures where there was literally no relationship (not recommended). My favorite is where GRC is the umbrella and BCP becomes a component of GRC. For all regulated entities, business continuity and disaster recovery must be closely aligned with GRC.
I like to think of governance as the overall management approach to the organization. How are decisions made? What is
the structure of the organization? So, relating this to BCP, how much priority is put upon business continuity within an organization? What value is placed upon BCP within the organization? How involved is senior leadership with business continuity? We’ve seen company after company say that their old, outdated, irrelevant three-ring binder is good enough, only to realize it isn’t when disaster hits. It is the directors’ and officers’ responsibility to ensure their organization is prepared for and can manage through any situation.
Every company must manage risk. Keen organizations turn risks into profits. The risk management component of GRC identifies, analyzes and manages risks that exist within an organization. So, this one is a no brainer of how BCP fits. BCP is planning for potential interruptions or risks. I truly believe that BCP is a component of risk management. If you haven’t already done so, I encourage you to establish a close relationship with your risk department and work together to address your organization’s protection.
Compliance ensures that all responsibilities of the company are met for regulatory bodies, laws and requirements. For many, strong BCP is a requirement. Compliance must ensure that BCP is up-to-date and ready for any situation. Compliance must ensure that regular testing is performed and that plans are reviewed on a regular basis. If you haven’t already established a line of communication with your compliance department, now is the time. You are responsible for ensuring that the BCP area is in compliance.
Katwala: Today, the relationship between GRC and BCP programs continues to grow because they share a common goal: improving the sustainability of the organization. In addition to sustainability, both GRC and BCP strive to achieve operational excellence. I believe there is a strong benefit to the organization by aligning GRC and BCP more closely since both programs rely on a strong risk management process to identify and provide critical input. Aligning GRC and BCP will enable organizations to break down risk management silos and share information across the programs. The benefits of accomplishing the above will be an increase in collaboration, transparency, and effectiveness.
For example, GRC programs will become stronger by having a better view of business impact provided by the list of potential business disruptions contained within a business impact analysis conducted as part of a BCP program. BCP programs will benefit by gaining executive level visibility that BCP professionals have been searching for in the past. The reason is GRC programs typically start at a top-level strategy that is pushed down through the organization while BCP traditionally has traveled from the bottom up.
CI: What are the three top best practices in GRC and business continuity planning?
Hall: First, mindset. I think it is critical to establish a mindset that business continuity is a component of GRC. If you see BCP as a separate entity with only limited links to GRC, then you will not be able to fully integrate. And, it should not be just your mindset; there must be a mindset within the entire organization. I would encourage you to be a champion of integration within your organization. While many BC planners do not like change, business continuity will gain more attention and focus if it becomes part of your GRC program than it ever would alone.
Second, software. Software will make integration easier. After SOX, we saw an explosion of GRC software products. Today, new products integrate business continuity with GRC. If you
have multiple systems, you will never truly integrate and your life will be harder than necessary. If your BC plans are in one program and your DR plans are in another, the two groups will never truly come together. You will save so much money, time and energy by integrating platforms, not to mention that your number one goal of protecting your organization will become a reality.
Third, convergence. I saved the best practice for last. Converge your areas. Think of it as one. Establish clear integrations with GRC and BC, DR, EM and security. Even if you are not ready for full convergence, build relationships and communication paths among the silos. Begin to break down the traditional walls and work together. You do not need a converged structure to succeed. It is all dependent on the mindsets of the individuals. If everyone thinks of it as one, then the structure behind it is secondary. Be open to change and the integration of others into your world. This is not a turf war, rather it is a war between your company and all of the risks that exist in the world.
Katwala: GRC is broad and defined differently from organization to organization. GRC could mean enterprise risk management, compliance management, IT governance, financial risk management, or the ability to finally breakdown the barriers between process and culture to enhance oversight and performance. Being an optimist, I will provide three top best practices that span GRC and business continuity to achieve higher levels of sustainability and operational excellence. To meet this goal, we should begin with the GRC Capability Model from the Open Compliance & Ethics Group’s (OCEG) framework. The GRC Capability Model provides a comprehensive set of best practices for any organization implementing and managing a GRC system or just aspects of a GRC system.
The second best practice I would recommend focuses on enterprise risk management. Strong risk management is the core of a successful GRC initiative. You can find a model that can work effectively with both GRC and BCP in the Committee of Sponsoring Organizations (COSO) Framework. It works well with organization strategy and provides the flexibility and reach to address the board of directors. COSO supports the internal environment, setting objectives, event identification, risk assessment, risk response, controls, information and communication, and monitoring while addressing strategy, operations, financial reporting, and compliance which help connect the dots between GRC and BCP.
Finally, from a business continuity perspective, both OCEG and the COSO framework include BCP, but to implement a robust program, one should review National Fire Protection Association’s (NFPA) best practices. NFPA’s model can sit within a GRC program and connect to a strong risk management program while providing the framework to drive effective planning and incident response. In addition, NFPA best practices are one of three frameworks selected by the Department of Homeland Securities for PS-Prep certification.
When selecting your best practice or framework, keep in mind that best practices should not be confused with your methodology. Every organization is different and you have to choose best practices that fit the goals of your GRC program. However, what you choose should be flexible and not lead to silos that make it difficult to groups for collaborate, share information, and enforce transparency. CI