GRC Interrelation

GRC roles don’t necessarily function independently. Much like we described in our Introduction to GRC, the roles are intended to function together to provide holistic oversight for operational security. When one role operates independently, and without considering other roles, it can create confusion for peers and employees.

For instance, the ability for users to bring their own devices (cellphones) to work --- meaning they can use the devices for certain work functions. Imagine that your organization’s users have always been able to use their cell phones, and suddenly, a new policy is announced forbidding the continued use of employee-owned devices.

Perhaps the policy was created by a Governance professional, but Risk and Compliance team members were not informed of the change. This would likely create a good deal of confusion. Often, policy changes that impact a significant part of the organization’s user population are discussed thoroughly and are precipitated by a risk management event or new compliance initiative. Therefore, it's important that the roles work together to make sure the GRC function operates smoothly.

This is also a good time to mention GRC software. We won’t really be covering GRC software in this course, but it's good to know that it exists, and its purpose is to provide a central repository for gathering GRC related information. GRC software can:

• Help keep track of compliance obligations
• Act as a central repository for audit, compliance, and governance issues that require remediation
• Act as a central repository for risk and exception management decisions
• And more

For software to be effective, however, most organizations should ensure that their GRC processes are mature and operating well. Otherwise, software can go unused, create conflict between GRC functions, and unnecessarily cut into the security budget.