Building a mature, sophisticated governance, risk, and compliance (GRC) program is a bit like baking a layer cake. It takes a little extra time and work to prepare each progressive layer, but when it’s complete, it’s pretty darn impressive.
Mike Santos has assembled quite the risk management layer cake at global law firm Cooley, where he’s the Director of Security and Information Governance.
Santos’ experience in risk management has its roots in an institution known worldwide for handling, preventing, and mitigating all sorts of high-stakes risk: the United States Navy. Post-service, he transitioned to the IT risk world to work with Cooley.
He soon found himself working in cybersecurity—an emerging field at the time that’s now top-of-mind for every organizational leader. There, he developed a maturity model for taking any GRC program from a reactive, ad-hoc state to an efficient, automated, and holistic process.
Santos’ model has five layers, each building on the last. Here it is:
Layer 1: Taking risk as it comes
The model’s first layer is the state that any organization that hasn’t put the resources or effort into building a true GRC program is likely to find itself in. This is where your risk program is operating by the seat of its pants, responding in real time to risks as they arise.
“This is where you’re just winging it,” Santos said. “Something happened yesterday or something is coming tomorrow, and you have to figure it out today.”
This is, for obvious reasons, not a particularly good way to handle risk. But the reality is that many organizations find themselves in this exact situation quite often.
Layer 2: Policies and processes
Organizations whose programs are in the second layer of Santos’ model have begun to at least put policies and processes in place to govern and provide some uniformity to how they handle various risks. This is a step up from handling things as they come, because at least there’s a plan in place ahead of time.
“Now, at least you can say, ‘These are the things we do, and the things we don't do, what we want to see happen, what we want to not happen, and what our tolerance levels are,” Santos said.
Having effective governance in place increases the likelihood of a positive outcome, but there’s much more that can be done to ensure those policies and processes are working, and which should be upgraded first.
Layer 3: Risk modeling and quantification
The third layer marks the point at which an organization can truly begin to say its GRC program has started to mature. The organization has robust policies and procedures in place, and it’s beginning to focus its GRC efforts on the most important risks first by using various risk quantification methods to identify them.
The first step in getting started with this layer is to pick a proven risk management framework, like NIST, ISO 27001, FAIR, or SOC 2. Then, begin running your risk through the framework and use risk quantification methods, like risk scoring models and Monte Carlo simulations, to gauge how much of a threat they pose to your business.
Having that sort of data on hand can inform the decisions you make about how to improve your existing controls, policies, and processes, which aren’t working properly, and which new ones should be introduced.
This is a great place for any organization’s risk management program to be, Santos noted, but it’s also unfortunately where many organizations get stuck. There are still two more layers of sophistication you can add to your program: integration and automation.
Layer 4: Integrating other systems
Layer four is where organizations begin integrating data from all of the other systems that power their business—email, financial systems, communication platforms, support and ticketing systems—into their risk model to obtain a 360-degree view of their entire risk landscape. Combined with the quantification of layer three, they’re now able to start making faster, better, and truly strategic risk decisions. This is the realm of holistic GRC.
Having the right technology is crucial at this stage. You should be using a modern GRC platform that can easily integrate with a range of other common business systems and centralize all of the data, so you can have those holistic insights at your fingertips at any time. The platform should also be easy to use, to increase the likelihood that as many people as possible will participate in your risk program.
Say, for example, you’ve been asking support desk employees to leave the system they work in to log data in your risk management platform or another system. This requires them to break their workflow and adds yet another task in another system to their work day. Wouldn’t it be better if the data they’re already entering into their system was automatically routed to your GRC platform? You’ll have both better data and happier employees. That’s where smart integration can take you.
“You have to have as many people participating [in your risk program] and taking it seriously as you can. The more success you have, the more data you have, and the more data you have, the better decisions you can make” Santos said. “If there’s a lot of paperwork or bureaucratic, manual barriers, people are less likely to do that.”
But before you start hooking other systems into your risk model, it’s important to make sure you spend the time necessary to validate your model to be sure it’s working properly and providing accurate analysis. “There can’t be any problems with your level three, because now you’re going to introduce all new data sets,” Santos said.
Layer 5: Risk-driven decision making through automation
The pinnacle of Santos’ risk maturity model is reached when your GRC system has been integrated with your other systems and automated to the extent that it begins to surface the most pressing risks your business is facing all by itself.
When you’ve reached this point, you can instruct your model to always show you just the top three most critical threats, so you immediately know what to focus on addressing. As you work through your top risk and mitigate it, the system will continue to automatically populate the list with a new risk.
“Your system is now almost telling you what to do,” Santos said. “You’re still making the final decision, but there’s so much automation in there that it’s almost come alive.”
Again, this requires the right, modern GRC platform. Pick one that has plenty of integration capability and allows you to build and automate custom workflows.
How many layers does your cake need?
One caveat: Santos emphasized that not every organization needs to implement every layer, and your return on investment tends to diminish as you progress through the model. It gets harder and more resource intensive to move from one layer to the next, and the results you see may be only marginally better at first.
“You may end up looking at six to seven months of work and tens of thousands of dollars to be able to say ‘Look, I pulled this one metric in!’” he noted.
So, decide how many layers your risk cake needs, and get to work building a top-tier program for keeping your organization safe and secure.