Q&A: Carlos Krause On GRC & BCP
Continuity Insights sat down with Carlos Krause, Manager of Professional Services for Modulo North America, to find out more about recent trends in governance, risk management and compliance (GRC).
Continuity Insights: Can you talk a little bit about GRC, including its relationship to BCP? Does GRC have the same relevance in all organizations?
Carlos Krause: GRC is a term describing an organization’s approach to governance, risk management, and compliance. GRC should always ultimately leverage and include BCP but doesn’t always initially. GRC does not always have the same relevance in organizations; some organizations start with a single use case such as automating Business Continuity Management (BCM) and then expand their programs from there.
Many different lines of business need to be involved in a truly enterprise-wide GRC program, though organizations may structure programs differently. We see companies asking for, for example, for PCI readiness solutions, IT risk management, ERM, and — more and more — BCM solutions. Typically the team with the most mature processes or that has just experienced a major problem — think audit failure, disruptive disaster or complex new regulation — will initiate the GRC conversation. The BCM team, or whoever is responsible for BCP, could kick off a GRC program within their organization.
BCM is a crucial piece of any well-defined GRC program but it is only a piece. But GRC can learn from BCM. Of course, business continuity planning is all about identifying and exposing potential threats to business operations. The cyclical nature of BCM processes and the role of BCM in identifying unacceptable but inevitable disruptive occurrences means the team responsible for these efforts can help enhance an organization’s GRC program.
GRC provides organizations with a way of reducing unacceptable risks — risk of IT problems/breaches, risk to operations, risk of non-compliance, credit or market risk, reputational risk, and, of course, risk to business continuity. Even the best planning and most thorough controls cannot prevent unforeseen disasters and disruptions. BCM provides organizations with a way of anticipating and managing the impacts of these unavoidable risks to the business. In short, BCM is essential to a well-defined and mature GRC process and that’s why we are seeing it pop up more often as a key use case.
CI: As 2014 begins, what do you foresee as the biggest GRC and BCP trends in the coming year? What will be the biggest game changer?
CK: Broadly speaking, we think the definition and understanding of GRC will continue to mature in 2014 with the biggest trend being on the application of GRC automation solutions to satisfy specific use cases such as BCM. We believe that organizations will start to implement GRC programs from the perspective of solving specific issues and then expanding.
Companies are starting to see new possibilities in leveraging automation to improve process-heavy programs like BCM. As your readers know, BCM needs to be tested and revamped on an ongoing basis in order to remain effective and to meet standard requirements. GRC solutions are offering excellent options for automating survey dissemination and for tracking progress and activities using digital audit logs.
In 2013 we really saw an uptick in demand for BCM as it relates to GRC. I think we will see this continue into 2014, with the relationship between BCM and GRC strengthening. There is a lot GRC can learn from BCM and vice versa.
CI: Why and when should organizations integrate their BCM programs into broader enterprise risk management efforts? Are there any common misconceptions about integration?
CK: The integration of BCM into broader enterprise risk management efforts is a question directly linked to the maturity of an organization’s risk management approach. Many of the customers we deal with are still managing a major portion of enterprise risk efforts using spreadsheets, documents and emails. Even if they implement a software solution for compliance, IT risk, or even BCM use cases, other areas of the organization may not yet be ready to automate processes.
The most effective implementations of BCM — and broadly speaking, any GRC use case — are with those customers who have well-defined processes and reliable people managing those processes. A solution alone can never solve these issues. We always advise our customers to think about automation and integration once they have a defined goal and strategy for doing so; and, of course, there are ways to speed along this process too.
When we talk about integrating a program into a GRC management effort, we talk about eliminating redundancies, leveraging assessments from one program for another, and centralizing key data for the sake of creating meaningful reports. Sometimes people think integration just means plugging data into a system. Really, it means that and so much more. An organization should integrate BCM programs, data, process automation, and reporting into broader enterprise risk management efforts in order to reduce the tendency to approach risk management from distinct lines of business and not waste time on redundant efforts.
CI: What do you see for the future of GRC and its benefits, not only for the coming year, but even 5 or 10 years down the road?
CK: In the next 5 or 10 years, we think GRC will play a central role in organizations as a performance indicator. But for now, the capabilities of GRC solutions far outpace what end-users really need on a daily basis to solve immediate problems. Eventually, the confluence of reliable systems to automate processes, integrations to incorporate and analyze data, and advanced reporting will facilitate a risk-minded approach to managing businesses. GRC will give CROs, CCOs, CIOs, and boards the ability to monitor trends and leverage risk information to improve business decision-making. We think GRC will provide executives with the means to take governance and risk-based approached to business management, making GRC one of the business’s key assets to predict and report on organizational performance.
CI: Is there anything else that I haven’t yet covered that you’d like to discuss?
CK: Outsourcing is elevating the importance of third-party risk management. More and more of our customers, and indeed organizations across the globe, are relying on an extended enterprise for crucial services. It’s not enough for a company to meet compliance or business continuity requirements. Now, the extended enterprise of vendors and suppliers also needs to comply. Organizations are finding themselves smacked with fines, in headline news for reputation issues, or without a crucial resource because a vendor didn’t meet rigorous internal or external requirements. We think third-party risk management will become a more and more important use case for GRC-minded organizations. And we think BCM will be an important part of any effective vendor risk management program. It’s always interesting to ask new customers how they manage the continuity of services vendors.
Carlos Krause has been an integral part of Modulo since 1998. As Modulo’s NA Manager of Professional Services and Sales Support he is responsible for pre and post sales initiatives and activities for the prospects and customers in all areas of Governance, Risk and Compliance. Certifications include CISSP, CISA and MCSO with industry expertise in life science, healthcare, consumer goods, chemical, manufacturing, financial services, transportation and energy. This year, Carlos Krause spoke on the topic of BCM at ISACA ISRM 2014 and on Modulo’s BrightTalk channel. He spoke at MISTI IT GRC Summit 2014 on the topic of GRC automation. He has been published on the topics of policy implementation and BCM.