Every company must deal with governance, risk, and compliance. Often abbreviated as GRC, this business function is responsible for ensuring that major risks are addressed, required compliance initiatives have been investigated, and the organizational structure supports these objectives.
GRC Program Continuity Events
Continuity events are typically thought of as natural disasters, pandemics, or other events that cause a large disruption in business processes. While these still hold true for a GRC program, we’ll be investigating some challenges specific to GRC programs.
One of the most common continuity events in a GRC program is personnel turnover. The size of your GRC program will vary greatly based on the size of your company. While large organizations may have the ability to sustain through personnel transition, for small to medium sized GRC programs turnover can be a huge deal. Some continuity issues arising from turnover and potential solutions include:
Continuity Issue: Limited insight on required frameworks and regulations.
Potential Solution: Ensure full documentation of required frameworks and regulations, audit timelines, key points of contacts, and audit procedures.
Continuity Issue: Security and compliance issues are no longer tracked to remediation.
Potential Solution: Ensure that all outstanding issues are centrally located. Additionally, make sure all issues have a designated assignee.
Continuity Issue: No one is in charge of security or compliance.
Potential Solution: Set up a cross-functional GRC team that meets regularly. If the chair leaves, another member can take their place.
Most audits operate on an annual cadence. During the many months between audits, a lot can change. New team members join, technologies change, and people forget where documentation is located. Below are some continuity issues and potential solutions to maintaining seamless year-over-year audits:
Continuity Issue: Employees have to re-learn how to gather audit evidence.
Potential Solution: For each request provided by the auditor, ensure thorough documentation is retained describing how to retrieve the required evidence.
Continuity Issue: Different evidence is provided from previous audits.
Potential Solution: Find a solution that allows for audit automation. This allows you to set up a connection into your systems once, and collect the same evidence every year.
Continuity Issue: Context and lessons learned from previous audits are not included in future audits.
Potential Solution: Maintain a repository of previous evidence and findings. Additionally, work with your auditor to ensure the request list is refined and made specific to your organization.
Tracking Recurring Tasks
All compliance frameworks involve some form of recurring tasks. These may be annual policy reviews, quarterly access reviews, or monthly management meetings. Should these tasks be missed (either due to a large continuity event, employee turnover, or simply forgetfulness), it may result in audit exceptions or non-compliance. Common issues and solutions include:
Continuity Issue: Assignees for recurring tasks are not clear.
Potential Solution: Assign tasks from a centralized area that makes it easy to re-assign a task.
Continuity Issue: Tasks are missed or completed behind schedule.
Potential Solution: Ensure there is one person who is responsibility is to ensure all recurring tasks are completed. This person will likely be the chair of the cross-functional team mentioned above.
Continuity Issue: Evidence from recurring tasks is not available.
Potential Solution: Ensure that all evidence from recurring tasks is uploaded in a central repository. This may be a local server, cloud storage, or a software application.
Overarching Solutions for GRC Continuity
There are many ways to ensure that your GRC program continues to thrive year-over-year as more people, technology, processes, and frameworks get added on. Two things to look into include ISO 27001 certification and a GRC software platform.
ISO 27001 Certification
ISO 27001 is a compliance framework that requires companies to develop an Information Security Management System (ISMS). The ISMS allows the company to absorb changes to the GRC environment, implement them throughout the organization, and continuously monitor the status of the GRC program.
GRC Software Platform
Many GRC platforms exist on the market today. These tools allow you to gain visibility into your security program, track risks and tasks over time, and keep track of lessons learned. In fact, risk3sixty has developed a GRC platform, Phalanx, which allows you to see past audit evidence, quickly assign tasks, and provide automation integration to support your evidence collection.
Continuity is an important part of every business process, and that includes the GRC program. By staying on top of personnel turnover, year-over-year audits, and recurring compliance activities, you can ensure a seamless audit experience, no matter the continuity events that come your way.