The GRC program value proposition: Advice for compliance professionals

Many companies aren't itching to tackle governance, risk and compliance (GRC) initiatives, and it's largely due to perceptions around cost and ROI. Those holding the company purse strings often have difficulty seeing the value proposition of a GRC program from an expense perspective; others are thrown off by the intricacies associated with a full-on GRC strategy. Given these perceptions, it's often difficult to get beyond the "bad and the ugly" of these investments to recognize "the good" inherent in a GRC program -- and that hesitation is putting business assets and data at risk.
The compliance professionals we speak to on a regular basis agree that GRC must become integrated into daily business processes, rather than viewed as a separate burden. But how to convince others of the GRC value proposition? GRC is a topic that calls for expert tips and solutions, so SearchCompliance has scoured our sister sites to gather some of the top GRC stories you might have missed. These articles offer a mix of strategic and tactical advice for conveying the value of a GRC program and changing the perceptions of those not yet convinced that the GRC cause is worth the cash.

Why you can't ignore governance, risk and compliance

It's a simple question: What is GRC? Well, the answer is becoming increasingly complicated. Sometimes a reference to software and sometimes a methodology unto itself, GRC depends on context and perception. No matter how you look at it, a GRC program is a vital consideration in today's landscape of evolving rules and regulations that affect all levels of organization. The expert advice in this magazine article outlines how companies can assess and integrate a GRC program while rolling with the regulation punches.

GRC as a proactive investment, and how to get there

Risk management planning doesn't always receive the highest-level support from CIOs and IT departments. Rather, it's often seen as a costly burden instead of a proactive investment. Harvey Koeppel, a former CIO and a regular columnist for SearchCIO, advocates for the latter viewpoint, urging companies to look past the initial costs and evaluate what GRC preparedness has to offer in the long run. In a proper GRC maturity model, tactics and strategies should be identified and structured, then organized according to anticipated benefits, Koeppel says. By changing the way CIOs approach their GRC budget, compliance officers can better integrate risk management into the overall organization.

Equating information governance with business value

With so much to lose in a data-heavy world, how are companies continuing to make careless mistakes with private information? Many companies are approaching information governance with an "out of sight, out of mind" mindset, and that's just not going to cut it these days. By equating information governance to business value, then sifting through complexities and understanding the data you are charged with protecting, a more complete picture of your company's information appears. The tips in this case study on information governance strategy don't downplay the difficulties of governing your information, and make clear how your data could help you when the going gets tough.

Using a threat model to reframe the role of compliance

As ever-evolving regulations and laws drain IT budgets, the perceptions surrounding compliance can be draining as well. Conforming work habits to appease GRC to-do lists has left some risk-minded folks feeling disheartened, and that frustration is disrupting workflows. Re-architecting those compliance tasks to become part of business processes -- rather than added chores -- reframes the role of a GRC program. The seven-stage threat model discussed in this piece from Information Security magazine provides a detailed account on how to define, streamline and execute a new approach to compliance, and how it can change GRC attitudes for the better.

A $440 million reason to learn three IT risk lessons

"If it ain't broke, don't fix it" is a phrase that doesn't fare too well in the IT sphere, as history shows that risk can very quickly spiral into an all-out crisis that's both costly and time-consuming -- and money and time are two resources already stretched thin in most organizations. Plenty of companies have felt that pain after deciding that compliance is a separate entity to be put on the back burner. By embedding risk management into each business decision, GRC can become part of the organization and evolve as IT evolves. In this piece, Brian Barnier, a risk advisor at ISACA, outlines how IT departments can insert compliance into everyday decisions.