Almost every blog entry listed here makes some reference to a Governance, Risk, and Compliance (GRC) software tool and how it can help you manage cyber risk. But what if you don’t have one of these? What about spreadsheets? Or home grown database tools you made yourself and are certain are “good enough”? And suppose you have a very limited budget for risk management, are part of a small organization (or a small part of a highly decentralized large organization), and just don’t have bundles of cash to spend on software. What about those folks too?
While there are no absolute, easy answers, there are some strategies we’ll explore here. Also, there are some basic best practices to apply to any shopping effort for a GRC software solution that can limit your financial exposure and save you a lot of money—often enough to make the whole exploration and evaluation worth your while when you think it’s out of reach. We’ll look at some of those too so you are fully “ready” to make the best choices for your business regardless of how your risks and resources measure up today.
Making The Impossible Possible
Sometimes you are faced with a seemingly impossible situation, where you cannot do without but cannot make do either. I’ve been there. It’s where the spreadsheet approach grew up. It’s where lists and manual processes thrive. It’s not ideal. Even those folks who can script in “Excel-eze” cannot provide all the detail and robust data capture, analysis, and organization needed today. In other articles I’ve noted the value of leveraging data from other processes, particularly ones associated with audits, regulatory and compliance reviews, and even incident management. Those areas may have some software you can somehow borrow services from to configure risk assessments and share data. Such arrangements may not give you ideal flexibility or control, but, in an impossible situation, there needs to be elasticity in solutions. This approach might create something of a sneaker-net scenario where you are running from one platform to another to launch a risk assessment, manage progress, extract data, transfer to an analysis platform elsewhere, take the result to publish and distribute through another borrowed internal service, and so on. It won’t be easy, but any amount of automation you can offer for your stakeholders will likely be received well, even if you’re “spinning a lot of plates behind the curtain” so to speak. There is a potential gem buried here, if you survive this—you know what everyone else has, needs, and already counts upon for similar automated services. Hold onto that information; it will become most valuable later on in this story.
Know What You Need
The beginning to any journey or task is knowing where you want to go. In this case, knowing which features of a GRC platform are most critical to the operation of your risk management program is key. Like shopping for anything laden with features and unique approaches to perceived needs (ever shop for a new car?), it could be easy to get side tracked by the glistening marketing messages and materials crafted to attract your attention. If managing risk assessments and sharing the results in a manner that your senior business leadership can understand is critical, focus upon that before other features. Also, pay attention to what it may take to enable what you want. Some attractive features in some products require robust database management and query skills. Others require scripting or programming through application programming interfaces (API’s). If you don’t have those resources readily available to your risk program at this point, something more out-of-the-box or configurable rather than customizable might be in order. So, build of list of truly “must-haves”, and one of “desirables”. Make certain you hit as many musts as you can. Don’t trade them off for desirables, no matter how many are offered. Be patient, and diligent.
Become An Informed Shopper
There’s no way I know of the acquire GRC software by the pound. But there are strategies to gradually acquire functionality over time as your risk program’s needs mature and become more sophisticated or complex. I have a long standing rule about avoiding redundant or “throw away” efforts wherever they can possibly be eliminated. Repeating an effort because you “didn’t have time” to do it thoroughly the first time wastes time, money, and many other participating or supporting resources. So, if you need to start small, seek solutions that can grow with you at your pace. Many software solutions will present themselves as meeting this requirement. Don’t take a “yes we can” at face value. It’s important to ask “how”! The specifics and details offered will tell you whether the solution you’re exploring truly can gradually grow, or requires a complete reinstall from scratch or something else. What do I mean by growing? Adding capacity for data, support for an increased number of users, revealing or enabling new features or capabilities without having to reinstall or redeploy the software demonstrates a product designed for incremental growth. This growth may also include the ability to integrate other data sources from external systems. Be careful here. Again, ask how. Understand what requirements beyond configuration and set up might be required to make such integration work.
There’s another aspect to being an informed shopper—seeking input from your stakeholders. In addition to being a good partner, there may be useful information to help shape your list of much needed features. You may also discover details about other systems already part of your company infrastructure that can be leveraged now and could feed your new GRC later to help establish it as the system of record for all risk related information. Stakeholder preferences for disseminating risk data analysis and reporting might also reveal features to value and take note of in your search.
Consider Your Vertical
Every business has its own unique risk portfolio. And it changes with time and circumstances as does the business itself. Some industries have specific legal, compliance, and regulatory obligations that demand rigorous, detailed attention to particular sets of controls and practices. Two of these that often are sited as particular examples are financial services and healthcare. Both are heavily regulated. Both have Federal regulations and agencies (FFIEC, NCUA, FINRA, FinCEN, to name just a few) serving as oversight vehicles. Compliance is a big part of their competitive, legal, reputational, financial, and operational risk portfolios. They are also diverse verticals. Financial services take many forms; banks, credit unions, investment firms, stock and bond trading services form a commonly perceived bulk. But there’s also the whole payments industry, credit cards, check cashing services, small lenders, and of course insurance of all different forms. Even the automotive industry blurs the lines with auto lease and purchase financing, often initiated at retail dealerships and “car stores”. There are also all the surrounding advisory professionals operating as financial investment and management consultants. And, for international organizations, there are expanded sets of obligatory controls set by host countries. Each has its own unique flavor of obligatory standards and guidelines that must be followed.
Likewise for healthcare services, there are many regulations, Federal ones well known, like HIPAA and somewhat less known HITECH (Health Information Technology for Economic and Clinical Health Act), but also the Medicare Access & & Children’s Health Insurance Program Reauthorization Act of 2015, or MACRA, to name some more, that require compliance. Some healthcare providing organizations operate through multiple third party relationships and those entwine and complicate compliance efforts too. Medicare and Medicaid themselves have regulations and requirements that CMS (Centers for Medicare & Medicaid Services) imposes upon providers and other supporting healthcare services billing those programs. So there may be a significant third party risk management (TPRM) component to compliance and risk management here.
And of course, online retailers of all sizes have their own bits of compliance. Online wine sales are subject to stringent state regulation, licensing and more. Other retailers are subject to state tax laws, permits, licensing, and of course PCI for those credit card payments. A partial list for sure.
Assessing risk, compliance with controls, organizing and documenting evidence, and supporting regulatory compliance reviews can be a time consuming, tedious process that becomes very costly without support of the automation and administrative control offered by a GRC platform. This regulatory environment thwarts many by creating a significant barrier to entry for some startups and small business ventures, by creating a barrier to growth. If only there was a simple, cost effective entry point into managing this complex governance, risk, and compliance arena that could grow with a company in size and capability as those services were necessary…
Out-Of-The-Box GRC
Out-Of-The-Box GRC, or OOB-GRC is neither a unicorn, nor the offering of a case of snake oil elixir by an alley way “expert”. There are vendors that offer simple GRC solutions, based upon pre-configured instances of their software. They cover a wide array of OOB readiness and can be ready to put to use and begin delivering value in very short timeframes. Most often they are based upon the platform that’s capable of providing the full array of services available in a quality full featured GRC. It’s just that only the basics are “turned on”. Those are usually the ability to conduct and manage a risk assessment, report basic findings, maybe manage some workflow, or include a control standard, and manage the process. They may include access to well known control sets incumbent to standards such as NIST’s Cyber Risk Standard, or HIPAA and/or HITECH’s control sets, or others generally required by one vertical or another. There are several immediate values to such OOB solutions:
- support rapid deployment with minimal client effort
- are cost effective and affordable
- allow you to work as you learn, (helping you determine what’s most needed next, why and when)
- are simplified versions, so training users is streamlined
- may be hosted, reducing reliance upon internal IT resources, while providing security
- incorporate maintenance support
- are capable of expanding in scale, feature richness and scope (without encountering “throw
away re-work)
This is a representative example of the gains and opportunities afforded by OOB GRC offerings, but not an exhaustive one. Some firms may include more of their features in a pre-configured OOB offering. Ones that favor configuration over customization have a clear advantage here. Also, security is a significant concern. A great deal of your risk related data is likely highly confidential. A GRC solution will offer much more detailed and granular security than a collection of local databases and spreadsheets. This is a feature often overlooked that is really important to consider. And if you have done your own homework and know what you essentially need to get started, your ability to pinpoint which solution offerings OOB may be best for you will be more straightforward and precise. Remember what I noted you might have learned while “making the impossible possible” in that section above? Here’s where it offers to pay you back for all you gleaned. You know what you need right away. You also know where the value trade-offs might exist while comparing solution offerings.
There is, of course, a buyer’s caveat here. Some vendors say they offer an OOB solution, but in reality, they only offer a pre-configured reduced feature set, or one so minimal it’s inoperative without customization and development. And, they may not readily reveal that to perform one function, you need to purchase one or more additional modules holding dependent code. These are not true OOB solutions. A genuine OOB box solution should be able to be launched, configured, and ready for you to begin using, training users, and performing useful work in 30-45 days or less, assuming you have clarity on what you need and how you operate. Remember, an OOB solution may not do things exactly as you have in the past, using makeshift tools and tons of sweat equity. One purpose of bringing a software solution to bear is to introduce new practices through automation, streamline processes and practices, and enable your company to do more, get more, while making the effort more flexible and elastic to growth in scope, size, and complexity over time. The OOB solution delivers that promise in an affordable package, one you can enrich and expand in the future.
The OOB GRC solution is a great way to introduce positive change, improve the overall cost effectiveness and quality of managing risk, while enhancing your ability to manage compliance and provide the best possible alternative to the plate spinning, spreadsheet gathering, manual processes in the past. The OOB GRC is also a great way for companies of all sizes to grow past those interim efforts to enhance the professionalism of risk management, compliance, and the overall operating performance of their companies now and into their tomorrows.
About the Author:
Simon Goldstein is an accomplished senior executive blending both technology and business expertise to formulate, impact, and achieve corporate strategies. A retired senior manager of Accenture’s IT Security and Risk Management practice, he has achieved results through the creation of customer value, business growth, and collaboration. An experienced change agent with primary experience in financial, technology, and retail industries, he’s led efforts to achieve ISO2700x certification and HIPAA compliance, as well as held credentials of CRISC, CISM, CISA.