GRC Viewpoint

A case for GRC (Governance, Risk Management and Compliance)

Today’s business climate is very complex and challenging. Even small businesses, nonprofits and government agencies face issues that historically affected only the largest international corporations. Contemporary risks and requirements are numerous, ever changing, and fast to impact any organization. The variety, velocity, and volume of change both within and outside of each organization is overwhelming. New regulations, business decisions, changing workforces and evolving technologies are just a few of the many examples of expanding change. Organizations (both at the enterprise level and within business units) must set objectives and strategies that are appropriate for them based on a full understanding of performance, risk and related compliance issues. The volatile, uncertain, complex, and ambiguous world creates instability – and over $1 Trillion of damage every year. In short, the status quo for organizations large and small is neither sustainable nor acceptable.

Further, GRC lowers the cost of doing business. Numerous studies from IBM and Ponemon show that the cost of compliance is generally about 1/3 the cost of non-compliance. IBM’s yearly Cost of a Data Breach study further substantiates these findings. The 2022 Cost of a Data Breach study has some startling data. Organizations world-wide are failing to implement Zero Trust and DevSecOps which leads to Lost Business, Brand Reputation Damage and shows that even the best EDR (Endpoint Detection and Response) systems don’t stop but simply reduce the time to detect (249 days on average) versus those that did not use EDR and AI automation (323 days on average). The need for Zero Trust is growing and is promoted by SIEM vendors such as Splunk and the largest Information Security groups including IBM, Microsoft and the CIS (Center for Internet Security).

The GRC Capability Model assists organizations in achieving Principled Performance with integrated capabilities. Key terms and definitions in the GRC Capability Model are:

L – LEARN – Analyze context, culture, and stakeholders to learn what the organization needs to know to establish and support objectives and strategies.
A – ALIGN – Performance, risk and compliance objectives, strategies, decision-making criteria, actions, and controls with context, culture, and stakeholder requirements.
P – PERFORM – Address threats, opportunities, and requirements, and encourage desired conduct and prevent what is undesirable.
R – REVIEW – Monitor and improve design and operating effectiveness of all actions and controls.

The current state of GRC typically consists of a disjointed strategy, poor integration, duplication, siloes, and lack of visibility.

The desired state of GRC consists of Integrated Reporting and Analytics, Integrity, Integrated Controls and Compliance.

In forward thinking organizations, GRC is a well-coordinated and integrated connection of all capabilities necessary to support Principled Performance at every level of the organizations. Additionally, GRC should be viewed as a business investment, not a cost.

Further what we need to understand is the relationship between vulnerabilities, threats, and risk. Vulnerabilities are known weaknesses that expose the Threat of potential harm to the business that leads to the Risk of Potential Brand and Reputational damage when a Threat Exploits a Vulnerability. GRC achieves a business view into Vulnerabilities and Threats they expose to prevent damage, rather than respond to it.

Further, businesses often ask the wrong questions. Gartner supports this with the Urgency to Treat Cybersecurity as a Business Function.

What tools should I implement? Gartner – Security capabilities are a function of people, process and technology. Leading with technology results in poor outcomes.

What are the most common threats in my industry? Gartner – Organizations do not control threats. They control priorities and investments in security readiness.

How much security do I need? Gartner – This is a legitimate question, but everyone is seeking a simple answer where one does not exist.

Lastly, we are spending billions on tools that are easy to bypass. In conclusion, GRC helps to achieve real Principled Performance to protect against growing threats to businesses of every size, including 3rd party management and supply chain vulnerabilities. The whole board should consider joining an organization like the OCEG.

1. OCEG is the ultimate source for GRC certifications and resources – OCEG
2. The True Cost of Compliance with Data Protection Regulations | Ponemon Institute
3. Prioritizing a Zero Trust Journey Using CIS Controls v8 (
4. The Urgency to Treat Cybersecurity as a Business Decision (
5. Organizations are spending billions on malware defense that’s easy to bypass | Ars Technical
6. – Latest Sarbanes-Oxley Quest: Search for a ‘Financial Expert’

By Bruce F. Bading, CEO/President at BFB Consulting, Inc.


Related Articles

Latest Articles