Understanding governance, risk management, and compliance
GRC is a term used to align and integrate the processes of governance, risk management, and compliance. GRC emphasizes that governance should be in place for effective risk management and the enforcement of compliance.
Governance, risk management, and compliance are three related aspects that help to achieve the organization's objectives. GRC aims to lay down operations for more effective organizational processes and avoiding wasteful overlaps. Each of these three disciplines impacts the organizational technologies, people, processes, and information. If governance, risk management, and compliance activities are handled independently of each other, it may result in a considerable amount of duplication and a waste of resources. The integration of these three functions helps to streamline the assurance activities of an organization by addressing the overlapping and duplicated GRC activities.
Though a GRC program can be applied in any function of the organization, it is mostly focused on the financial, IT, and legal areas.
Financial GRC focuses on effective risk management and compliance for finance processes. IT GRC focuses on information technology processes. Legal GRC focuses on the overall enterprise-level regulatory compliance.
GRC is an ever-evolving concept, and a security manager should understand the current state of GRC in their organization and determine how to ensure its continuous improvement.
Key aspects from the CISM exam perspective
The following are some of the key aspects from a CISM exam perspective:
Table 1.2 – Key aspects from the CISM exam perspective
Questions
- Which of the following is the main objective of implementing GRC procedures?
A. To minimize the governance cost.
B. To improve risk management.
C. To synchronize security initiatives.
D. To ensure regulatory compliance.
Answer: B. To improve risk management.
Explanation: GRC is implemented by integrating interrelated control activities across the organization for improving risk management activities. The other options are secondary objectives.
- What is the prime objective of GRC?
A. To synchronize and align the organization's assurance functions.
B. To address the requirements of the information security policy.
C. To address the requirements of regulations.
D. To design a low-cost security strategy.
Answer: A. To synchronize and align the organization's assurance functions.
Explanation: The concept of GRC is an effort to synchronize and align the assurance activities across the organization for greater efficiency and effectiveness. The other options can be considered secondary objectives.
