Top 10 GRC mistakes — and how to avoid them

A sound governance, risk and compliance (GRC) strategy is more valuable — and harder to hone — than you might think. Here’s how to avoid looming disaster.

Top 10 GRC mistakes — and how to avoid them

Governance, risk and compliance (GRC) — the very words cause groans among employees and leadership alike. They conjure thoughts of expansive spreadsheets and endless meetings where acronyms like KRIs and KPIs are bandied about. Quite often, GRC exercises are seen as a waste of time or the purview of the CFO and internal audit.

But this is not the case. With regulatory obligations and penalties for non-compliance increasing, CIOs and IT leadership must push for effective risk management, compliance and governance within their organizations. These efforts involve areas are separate from IT (for example, legal and finance) but are nonetheless critical for a GRC program’s effectiveness.

The days of separate or non-existent GRC programs are over. IT and business GRC must be incorporated into a whole. To do otherwise adds tremendous risk and needless uncertainty. Between unforgiving regulatory environments at home (HIPAA, PCI, FERPA) and abroad (GDPR), customer data privacy expectations, as-a-service platform risks, cybersecurity threats and the ever-changing global marketplace, an established and effective GRC program is a primary means of not only demonstrating operational due care, but also reducing costs, increasing profitability and avoiding running afoul of regulatory regimes across international markets.

“The top two GRC shortcomings I see are organizations not being aligned on their strategy and placing a much stronger focus on compliance versus effective risk management," says David McKeough, vice president of CrowdStrike.

An organization with the appropriate GRC components in place is one with an overall strategic plan that guides executive decision making. Projects and initiatives are weighted and evaluated based on business-driven goals, risks are managed and measurable, and compliance burdens are known and communicated.

To continue reading this article register now

Download CIO's Roadmap Report: 5G in the Enterprise