The world of risk management and compliance is constantly evolving, with risks becoming more complex and challenging to manage. To effectively navigate this changing landscape, organizations need to adapt quickly to new regulations, emerging risks, and other factors that threaten their operations. Implementing a governance, risk, and compliance (GRC) program is crucial, but it can be overwhelming for organizations to know where to start. Taking a “crawl, walk, run” approach allows organizations to gradually build their risk maturity and successfully manage these challenges.
The first phase of the “crawl” approach to GRC maturity involves simple steps. In the early stages, organizations typically rely on either ad hoc-based decision-making or policy-based decision-making. Ad hoc decisions are reactive in nature, with leaders making impromptu decisions to address problems as they arise. This approach often stems from customer complaints, governance agency inquiries, or audits, and focuses solely on extinguishing immediate fires.
Policy-based decisions represent the first small step towards breaking the cycle of reactive risk management. This approach involves developing an organization’s appetite for risk. Key to success in this phase is prioritizing people, process, and technology in that order. While transitioning from spreadsheets and emails to more agile GRC software can improve risk posture, it is essential to gain buy-in from key leaders and establish reliable processes to complement the technology. Understanding the needs and perspectives of stakeholders across the organization is also crucial at this stage, as it helps to break down silos and guide policy development.
After establishing initial policies, organizations should focus on introducing risk policies before executing them. Building trust with leaders and employees by listening to their concerns is essential. Educate them on the company’s risk posture and take steps to strengthen or create business continuity plans, assess the effectiveness of current controls, and introduce necessary new controls through testing and implementation processes. It may be beneficial to start with a specific department, especially one involved in a cyber incident that triggered interest in proactive risk strategies.
The “walk” phase of the crawl, walk, run approach includes two types of decisions: risk model-based decisions and systems-driven decisions. Risk model-based decisions involve committing time and focus to the organization’s risk management program. This phase includes identifying a risk model, such as the NIST or ISO27005 model, and conducting a comprehensive risk assessment. By understanding the probability of risks, the impact of existing mitigating controls, and vulnerabilities, organizations can prioritize risks that require immediate attention.
Systems-driven decisions, on the other hand, focus on integrating systems, eliminating spreadsheets, and utilizing GRC software to surface insights for better decision-making. By pulling in incidents from other applications and incorporating security scorecards and threat assessments, organizations can create a dynamic system that complements risk models and scales risk management. Automation and machine augmentation improve speed, agility, and efficiency while collecting more data for continuous improvement.
The final phase of the crawl, walk, run approach is the “run” phase. At this stage, risk-driven decision-making is powered by machines, integrations, and code. Risk analysis and quantification become crucial, allowing organizations to assign financial value to risks. While not every risk needs a quantitative metric, starting with high-value risks can help organizations better understand their exposure. In the context of the current business landscape, cyber-risk reduction is a top priority. Quantifying cyber-risk enables organizations to communicate the potential financial losses they could face without an effective cyber-risk program, catching the attention of leadership and spurring action.
Building and maturing a risk program may seem like a daunting task, but taking one step at a time using the crawl, walk, run approach is key. Establishing policies early on, educating leaders about risks, and prioritizing people, process, and technology are fundamental principles of building an effective risk program. By following this approach, organizations can develop a comprehensive and tailored risk program that meets their needs in a rapidly evolving risk management and compliance landscape.