Governance, Risk Management and Compliance (GRC) Activities

Introduction 

Management decisions in an organization on the three facets of governance, risk management and compliance (GRC) are depend on the organization's systems to pass accurate and timely information to the top management. Directors and other decision-makers have the role of coming up with strategies that are reflected in the structure and way of doing things within the organization. They also assess and predict risks within and outside the organizations and make decisions that ensure they operate within the ethical limits allowed for the organization. Governance within an organization refers to the top management decisions relating structure, each level responsible for their work. Governance affects performance, production, and employees directly. Risk management, on the other hand, is the process of dealing with uncertainties. The management speculates, identifies and deals with risks (Nissen & Marekfia, 2013). Compliance is related to the ethical operation of the organization through laws and regulation as well as maintaining a positive image for the organization. 

Today’s business requires an integrated, comprehensive view of GRC. Technology has a huge role to play in organizational decision making. Technological improvement has contributed to organization’s adaption of digital systems in their operations. The downside of this development is that these technologies expose the organizations’ data to cyber-attacks. GRC software is vital in automating the activities that are associated with reporting and documentation of risk management and compliance in organizational governance (Cau, n.d). This paper will explain the role of technology in GRC activities, capabilities and functions of GRC in cyber security and assess a GRC commercial product. 

Technology in Supporting GRC Activities 

Today's GRC activities and overall running of the organization is effectively able through the application of technology. The technology significantly improves the way the management receives information on the organization's activities to facilitate decision making relating to GRC activities. Technology has a role to play in enhancing company culture and also facilitating internal policies and strategies. Culture, organizational hierarchy and policies together with strategies form part of the governance activities. Governance requires planning and implementation of relevant decisions for the organization. Technology ensures that these decisions are made by the management on time since they receive information that will facilitate decision making in a desirable form. Documentation and timely reporting of activities are key aspects of government decisions that are supported by technology (Cau, n.d). For example, an organization that is experiencing stunted growth in profitability requires strategies that will jump-start its growth performance. It, therefore, becomes vital that the directors are knowledgeable on the key areas that require restructuring. Using performance indicators in various sections provides sufficient knowledge for the directors to come up with strategies for the success of the organization. 

Furthermore, technology supports governance through personnel planning and resource allocation. An organization’s personnel are a reflection of the culture and planning of the organization. The management relies on personnel planning software and models to come up with the best practices that contribute to the success of the organization. Human resources that required to complete certain tasks within an organization need careful selection and planning. The management considers the quantity as well as the skills of the employees before selecting the most appropriate team to complete the task. These employees form part of the internal resources. Sometimes specialized skills may be required thus necessitating the hiring of external personnel. Employee management technology is thus vital in aiding leaders to make decisions on the allocation of resources and personnel for certain tasks. 

Risk Management 

Risk management is increasingly becoming an essential undertaking for organizations since it determines the success of businesses through market speculation and expansion. The operating environment for most businesses is uncertain. Thus, the accuracy of risk management decisions is a huge determinant of organizational success. The internal environment of businesses also provides uncertain conditions that the management needs to analyze before making decisions. Thus, improvement in the way organizations manages their risks is important in today's risk management activities. Integrating the use of technology in data management and information analysis has the impact of increasing the accuracy of risk analysis techniques and decision making (Cau, n.d). Risk management technology also helps in the documentation of events and assessment of work within the organizations. Professional can use this information to perform an accurate analysis of both the internal and external risks affecting the organization. 

Additionally, organizations are embracing risk management as a method of reducing operating costs and other expenses. Expenditure on activities that are not beneficial to an organization’s core activities has the effect of reducing revenue. Accurate assessment of uncertainties using technology-enabled analysis techniques contributes towards the elimination of unproductive activities. Leaders can therefore confidently make decisions to eliminate these activities. Risk analysis aids in forecasting future trends and expectations. Accurate forecasting of trends can be done using the data from previous trends. Analysis of such data using modern risk management software enables the management to concentrate resources on activities whose prospects are positive. 

Compliance as part of the GRC activities also relies on technology documentation and controls assessments. Compliance management entails guiding an organization to act ethically through adherence to regulations, government, and international laws as well as norms that form part of the environment of the organizations. Owing to the risks of noncompliance, technology also becomes important in registering checks to ascertain the organizations standing on matters of compliance. Leaders need to focus on the compliance by design framework in their decision-making processes (Sadiq & Governatori, 2015). This framework advocate for the integration of the organization’s activities into the compliance activities as opposed to viewing compliance as an independent aspect of these activities. Compliance by design is a preventive strategy that enables an organization to stay within the regulatory limits. 

Incorporating technological means into the compliance by design framework contributes to the organization compliance strategies by enabling easier assessment of each of the aspects of compliance management. Use of compliance software in the identification of specific areas that require compliance measures eases the tasks of organizational leaders in coming up with measures that contribute towards compliance objectives. Technology enables easier compliance decisions to be made by the management through simplification of the compliance methods that may be applied. Again, technology use in today’s organizational activities is diverse and disperse. Hence, controls are important in compliance strategies (Sadiq & Governatori, 2015). Technology can help in decisions to enforce compliance through the management of records. Records are an indicator of the organization's compliance levels. Organizational leaders rely on these records to determine the standing of the organization on matters of compliance. Thus the records are a vital resource in enforcing compliance measures. Testing of the organization's systems is a technology-based method of enforcing compliance. Testing enables the management to ascertain the strength of their compliance strategies and make decisions that further improve these strategies. Compliance monitoring, on the other hand, borrows on risk management techniques. Monitoring processes help the management to keep track of regulatory changes and other adjustments in the industry. 

Compliance perspectives range from financial reporting to industry-specific regulations (ISO) (Cau, n.d). Therefore, compliance strategies need to focus on a whole range of these compliance functions. The risk and implications of noncompliance are also strong motivation for leaders to adhere to these requirements. Furthermore, ethical factors of compliance are tied to the organization's business decisions since compliance helps to build a strong positive image. Thus, technology helps in meeting these requirements by aiding in reporting to the top management on GRC activities. Again, self-assessments that are conducted by applying compliance software techniques are vital planning decisions. Thus, the role of technology in GRC activities is to facilitate and improve these activities through the provision of information, documentation, and aid in decision making. 

As organizational activities continue to become complex and the need for organizational leaders to make more informed and accurate decisions increases, governance, risk management and compliance activities more vital for organizations. The array of risks and uncertainties that organizations are exposed increases due to changing organizations structures and technology use. Regulations that intend to protect the interests of consumers and others doing business or in the immediate environment of the operating area of the organization are also increasing the need for preventive compliance. All these developments create the need for GRC technical solutions that have the ability to meet the emerging requirements of today’s organizations. Technical solutions offer a multidimensional approach to the challenges of GRC in organizations. 

Incident management and crisis management are two interrelated terms that constitute the follow-up practices of any organizations on their projects, strategies, and plans. The purpose, as well as objectives of these two terms, differ, however, the result is to ensure the laid down plans in an organization are functional. Incident management refers to activities that are carried out to correct disruptions in the normal activities of an organization while crisis management is the measures taken protect an organizations image against defamation. The purpose of incident management is short term since its objective is to resume the normal operations in an organization while crisis management is both long term and short term since it ensures that the organization remains in business for the entire period. Despite the differences in purpose, both interventions help the organizations to sustain itself and also grow. 

The application of crisis and incident management in GRC activities aims at eliminating bottlenecks that hinder the implementation of situation improvement strategies while at the same time improving the long-term prospects of the organization. Incident management activities involve investigation of the causes of failure of strategies put in place to make improvements. For example, restructuring of an organization may lead to reduced productivity if not implemented effectively. Thus, the management will be forced to conduct an incident analysis to identify areas that cause reduced production. Often restructuring may result in lack of coordination between departments or lack of motivation among employees. Thus, incidence management as part of the organization’s governance investigates the causes of these challenges and comes up with measures to immediately improve performance. 

Crisis management in GRC is closely linked to compliance. A crisis is a situation that will adversely affect the performance of the organization if left to persist (Mayer, Barafort, Picard, & Cortina, 2015). Noncompliance causes most cases of crises in organizations. The penalty for noncompliance is often hefty, hence a crisis needs to be addressed urgently. For example, an organization that does not adhere to ethical requirements runs the risk of the government cracking on its operations to force compliance. Such measures are often accompanied by hefty penalties or sometimes discontinuation of activities. Unethical practices may also cause the organization to lose its customers who may feel that their interests are not catered for by the business. Consequently, revenue is lost. Crisis management aims to mitigate or eliminate these negative effects by ensuring that the management makes decisions that within the compliant limits. 

GRC Technical Solution Framework (Cyber Security) 

Cyber Security Risk Management 

Protecting organization data and finances from cyber-attacks is vital. Today, cyber-attacks are more prevalent, causing massive damage to organizations operations and financial losses (Chaudhary & Hamilton, 2015). Thus, risk management through protection from cyber-attacks is becoming a key area of focus. As cybersecurity risks increase due to persistent and sophisticated attacks, the need for measures to curb these attacks becomes apparent. Therefore, an effective framework for risk cybersecurity risk is vital for all organizations. The NIST framework for cybersecurity provides guidelines, standards, and practices for organizations to protect their data from cyber-attacks (Chaudhary & Hamilton, 2015). FISMA is a federal government law that mandates bodies like NIST to come up with measures that strengthen cybersecurity in the country. The NIST framework requires organizations to identify the vulnerable and essential parts of their data, come up with measures to protect the data and also have measures to detect data breaches. The organization then responds to the data loss and instigates measures to recover from the breach. 

Assessing risks relating to cyber security requires a procedural framework where the system is first analyzed to determine how it operates. Potential threats to the system together with their impact are also identified. Finally, the control environment is considered, where the threat is identified, and measures that can be taken to neutralize the threat in case of occurrence of the risk are laid out. Communication is also vital in risk management. Internal communication is a form of consultation within the organization purposely done to review risk management strategies and also make improvements. External communication, on the other hand, seeks to improve risk management strategies by consulting with stakeholders. 

Business Continuity Planning (BCP) 

Business Continuity Planning (BCP) has in the recent past emerged as an area of focus in risk management. GRC activities aim to ensure the organization's activities run uninterrupted both in the short and long term. Thus, BCP falls under the need for uninterrupted activities. However, cyber-attacks have the potential to cause massive interruptions in these activities due to data or financial losses, or that may result from these attacks. BCP recognizes the existence of threats as well as risks that face organizations that have the potential to interrupt the organization's systems of data and personnel. Thus, BCP implements strategies to control the occurrence of these risks such that business continuity is existent even when disasters such as cyber-attacks occur. Therefore, there exists a close link between BCP and Cyber security. Cyber security protects business IT assets from attacks by hackers by providing firewalls that are difficult to breach. Integration of cyber security strategies in business activities is vital in ensuring business continuity in case of attacks. The integration process of BCP and cybersecurity involves identification of digital assets that are essential for business operations and performing a cyber-risk assessment and coming up with controls (Matley & Dufort, 2016). Disaster recovery plans are also implemented early to ensure data recovery and other recovery activities do not cause a business interruption in the event of a disaster. 

Threat and Vulnerability Management 

The existence of cyber threats and increased prevalence of cyber attacks today makes a threat and vulnerability management an important topic in risk management in GRC activities. The threats faced by business vary depending on the activities of the organizations. Considering that cybersecurity threats affect more than one domain in an organization, controls need to cover all asset that is vulnerable within the organization. Thus, threat modelling is useful in the process of threat and vulnerability management (Chaudhary & Hamilton, 2015). Threat modelling enables monitoring of emerging threats and assesses the likelihood and possible damage of the threats in case they occur. Thus, threat modelling prevents the occurrence of disasters and also outlines the methods of recovering from the disaster. 

Threat and Vulnerability Management in GRC activities requires a procedural approach. First, the organization requires developing procedures and models for indicating a security breach in the organization's systems as soon as it occurs. Organization IT teams are responsible for developing methods for breach detection and analyzing the impact of the breach. The systems are then tested for their ability to protect the organization's assets and ability to detect and report breaches on time. Detection involves monitoring intrusions and detection of malicious program that may affect the system (PWC, 2015). Rogue technologies also provide a threat to businesses. The systems need to detect these technologies and prevent them from causing malicious damage. 

Importantly, the developed systems are tested for compliance to ascertain that they meet the guideline and regulations of the industry (PWC, 2015). Compliance testing, in this case, involves assessing the tools as well as the techniques. In this case, The NIST framework for cybersecurity provides guidelines, standards, and practices for organizations to protect their data from cyber-attacks (Chaudhary & Hamilton, 2015). Therefore, the NIST guidelines are a key requirement in compliance testing. 

Vendor Management 

Vendor services need to attain the standards that organizations require in securing their assets against cyber attacks. Thus, vendor management ensures that the vendors offer software solutions that are suited to the needs of the organization. GRC has a crucial role to play in vendor management to ensure that the organization's contract vendors that reliable. The first role of GRC in vendor management involves monitoring. Services offered by the vendors are monitored to ensure that they do not fall below the required standards. GRC activities also involve testing the vendor’s services against possible threats. Testing ensures that the software is able to sustain cyber attacks. 

Outsourcing is the main contributor to the need to monitor vendors’ services. Consequently, NIST has developed the best vendor management practices to assist business best manage their vendor services. Organization’s management must ensure that procurement and selection processes for the vendor are undertaken with input from the internal IT personnel and security experts. Consultation ensures that the vendor selected to supply the software provides the best system to suit the organization’s needs. New suppliers who may be deemed potential partners to work with must undergo assessments and test to prove their suitability as vendors. The testing process determines the vendor’s compliance with regulations and guidelines. Assessments also determine the product's ability to detect and withstand threats that may be detrimental to the company's activities. Risk assessments are another vital aspect of vendor management. The vendor’s product is continuously assessed for its ability to protect the organization’s assets from cyber threats. 

Enterprise Risk Management 

Enterprise Risk Management (ERM) aims to identify, assess and develop strategies to mitigate or prevent the risks posed to the organization (Sica & Edwards, 2015). In the context of cybersecurity, ERM prevents exposure to risks such as data breaches. The cost of data breaches may sometimes push the organization out of business. As part of the risk management activities in an organization, ERM is crucial for the operations of the organizations. The key aspects of ERM in today’s organizations are risk materiality, risk categories and risk tolerance (Sica & Edwards, 2015). Establishing risk materiality forms the initial steps in the ERM process. Risk materiality measures the frequency of occurrence of the risk together with its severity. Risk appetite and risk tolerance are also measures of the chances of occurrence of the risk and the ability of the organization to deal with the risk. These are expressed numerically after calculation of the risk factors. A high-risk appetite implies that the organization requires maintaining a similarly high-risk tolerance value to balance out the effect that occurrence of the risk will bring to the organization. 

Furthermore, the risks faced by the organization need to be categorized according to the frequency of occurrence and the ability of the organization to handle them. Categorization assists in the identification of the best methods to approach the challenges posed by the risks. It also helps in ERM by informing decisions to implement strategies to prevent the occurrence of the threats caused by these risks. 

Internal Audit 

Internal audits are relevant in protecting the digital business assets through a holistic approach to cybersecurity. With regard to the way risks are managed at the organization level, internal audits help in merging the risks posed to individual assets and enables a wholesome view of the process of protecting the organization's assets. Audits also enforce collaboration of IT, security and legal teams in developing strategies that enhance risk management. A comprehensive internal audit serves to identify the organization's systems and assets that have a connection to particular networks. This helps in determining exposure to risks. 

Additionally, internal audits of various departments within the business are crucial in determining the methods of operations. For example, procurement and payment methods may expose the organization to data breaches. An audit of these methods helps to identify the risks and inform management decisions. Internal audits also inform compliance levels within the organization. Areas that need compliance to industry regulations are identified, and measures are taken to enforce compliance to improve security. 

Regulatory compliance management 

Regulations exist in cybersecurity for organizations to meet standards that aim to protect the data and information of customers. These regulations also cater to the needs of the organization by providing strategies that help to protect the organization's data. The federal government or industry players set these regulations. For example, regulations exist for protecting digital assets. Digital assets play a major role in today's business operations. Cybersecurity regulations require that organizations prevent access to these assets by unwarranted people. Configuration management database (CMBD) acts as a store where critical digital assets are kept in the organization. Interference with this database will have detrimental effects on organization activities. Thus, cybersecurity regulations demand strong firewalls that protect these assets from cyber attacks. 

Policy management as part of the regulations compliance framework in an organization is related to GRC through the governance aspect although risk management and compliance are also essential aspects. Policy management involves activities pertaining to the formulation, updating, and enforcement of policies. Policies need to created and enforced according to the organization's goals. The policies also need to be communicated to employees such that they work within the frameworks of the policies. Compliance is also a requirement in policy management. Formulated policies relating to cybersecurity need to adhere to regulation if the business intends to avoid the risk of noncompliance. 

Lockpath 

Lockpath is among the market’s leading software solutions for governance, compliance and risk management. Lockpath supports organizations in managing complex business information, execution of internal processes and coordination of activities relating to GRC (Houlihan, 2016). Lockpath has been shown to provide an improvement percentage of over 25% in the ways that organizations conduct their GRC activities due to less time usage, reduced exposure to risks and coordination of changes (Houlihan, 2016). Lockpath is a flexible platform with applications in both large and small organizations. Additionally, Lockpath follows the functional framework of requirements modelling, status investigation, situation improvement, and crisis and incident management (Papazafeiropoulou & Spanaki, 2016). This framework makes the software effective and easy to use. 

Lockpath’s vendor identifies the challenges involved in the software’s implementation process. Every organization has its specific needs according to the requirement modelling phase suggested by Paulus (Papazafeiropoulou & Spanaki, 2016). Accordingly, Lockpath’s caters for these needs due to its flexible design which allows it to be used in both small. Middle-size and large organizations. Considering that the requirements of the GRC activities for these organizations are diverse, Lockpath meets the threshold for a requirement modelling software. Again, the vendor is aware that use of the software impacts the organization's activities directly through service delivery, employee satisfaction and organization growth (Houlihan, 2016). Hence, the vendor provides technical support to meet the unique needs of the organizations. Among the key services offered is deployment support which helps to hasten the process of installing the software and integrating it into organization activities. This technical support reduces the deployment period to less than five months as opposed to independent deployment which is often costly and takes much longer. 

Customization of the software is also part of the requirements modelling phase. Customization ensures that the activities of the organizations are well integrated into the working of the software. Consequently, GRC activities become effective and easier to manage. Lockpath offers technical support in customization to ensure customer satisfaction. Furthermore, the software may require improvements or modification due to organization growth and diversification. These requirements create the need for technical personnel who are familiar with the fundamental as well as the complex workings of the software. Lockpath offers this services to meet the needs of their customers on all these aspects. 

Lockpath GRC software is deployed after a situation analysis is conducted. Situation analysis seeks to identify the current and past GRC activities that the organization applies. For the purpose of ensuring compatibility between the software design and the organization's structure, a situation analysis identifies changes that contribute to the success of the business in the implementation of the Lockpath software. The types and nature of risks that an organization faces is also a factor that is looked into before the software is deployed. Lockpath is effective risk mitigation and uncertainties prediction resource. Thus, the deployment requires that the technical team incorporates events that are likely to cause the occurrence of the risk or help in the prediction of uncertain events. Situation analysis phase, therefore, helps to configure the Lockpath software to the needs of the organization. 

Situation improvement is the core purpose of the Lockpath software. As reported earlier, Lockpath contributes to 25-30% improvement in GRC activities relating to compliance and risk activities (Houlihan, 2016). Such an improvement is beneficial to the overall operations of the organizations since it helps to save on costs also contributes towards improvement and growth. Situation improvement is also evident in all the three aspects of the governance, risk management, and compliance. The application assists in governance activities by providing documentation strategies that assist in decision making. Also, improvement in governance is achieved through coordination of the three aspects due to the role of the Lockpath software. Risk management improvement is achieved through the risk manager application. Documentation is vital since it enables the managers to keep track of activities that place the organization on the risk path. The software has risk indicator analysis applications that utilize documented and fed data to calculate risks. The level of risk together with its implication on activities of the organization is vital for decision making. Thus, managers can make decisions to mitigate or avoid risks due to the effectiveness of Lockpath. Compliance activities improvement is possible through coordination of policies and strategies that enable the organization to comply with the regulation. 

Lockpath also offers crisis and incidence management applications. Lockpath well tracks organization situations that contribute towards crisis and incidences. The software's incidence management application enables the users to develop strategies to deal with incidences that may occur within the organizations. Additionally, the application allows for investigation of the cause of the incidence hence assisting in the timely management of occurrences before they cause farther damage. Crisis management is also enabled in the software. Crises have the capability of disabling the operations of an organization. The vendor is cognizant of this risk hence installed risk management applications in the software (Houlihan, 2016). The applications enable that user to perform a crisis analysis and get suggestions on a possible method of handling the crisis. Again, the software improves compliance which in turn helps in avoiding crises. 

In conclusion, governance, risk management and compliance (GRC) are reliant on the ability of the organization's systems to pass accurate and timely information to the top management. Technological development has transformed the way organization leaders make decisions relating to GRC activities. Current decisions are more accurate due to the availability of support in software that improves GRC activities. One the most effective commercial software that supports GRC s Lockpath. Lockpath significantly improves GRC activities within the organization. Therefore, the importance of GRC activities to organizations implies that continued technological improvement aid in accurate decision making by organization leaders. 

References 

Cau, D. (n.d). Governance, risk, and compliance (GRC) software . Retrieved on 3 April 2018, from, 

https://www2.deloitte.com/content/dam/Deloitte/lu/Documents/risk/lu_en_ins_governance-risk-compliance-software_05022014.pdf 

Chaudhary, R., & Hamilton, J. (2015). The five critical attributes of effective cybersecurity risk management . Retrieved April 10, 2018, from http://www.scadahackr.com/library/Documents/Risk_Management/Crowe%20Horwath%20-%205%20Critical%20Attributes%20of%20Effective%20Cybersecurity%20Risk%20Management.pdf. 

Houlihan, D. (2016). GRC vendor implementation success strategies . Retrieved on 3 April 2018, from 

http://bluehillresearch.com/wp-content/uploads/2015/08/RT-A0166-GRCImplementation-DH-Final2.pdf. 

Matley, E., & Dufort, M. (2016). Cyber security and business continuity management . Retrieved on 11 April 2018, from, 

http://www.epicc.org/uploadfiles/documents/PwC%20-%20Cyber%20Security%20and%20Business%20Continuity%20Management.pdf 

Mayer, N., Barafort, B., Picard, M., & Cortina, S. (2015). An ISO compliant and integrated model for IT GRC (Governance, Risk Management, and Compliance). In European Conference on Software Process Improvement , (pp. 87-99). Cham: Springer. 

Nissen, V., & Marekfia, W. (2013). Towards a research agenda for strategic governance, risk and compliance (GRC) management. In Business Informatics (CBI), 2013 IEEE 15th Conference on (pp. 1-6) , IEEE. 

Papazafeiropoulou, A., & Spanaki, K. (2016). Understanding governance, risk, and compliance information systems (GRC IS): The experts view. Information Systems Frontiers, 18(6) , 1251-1263. 

PWC. (2015). Threat and Vulnerability Management (TVM): Protecting IT assets through Comprehensive Program. Retrieved on 11 April 2018, from https://chapters.theiia.org/chicago/Events/2nd%20Annual%20IIAISACA%20Hacking%20Conference/Day%202%20Session%206%20-%20PwC.pdf. 

Sadiq, S., & Governatori, G. (2015). Managing regulatory compliance in business processes. In Handbook on Business Process Management 2 . Berlin, Heidelberg: Springer. 

Sica, A. L., & Edwards, J. (2015). Cyber Strategy and Enterprise Risk Management (ERM). Retrieved on 11 April 2018, from http://thealsgroup.com/cmsAdmin/uploads/cyber-risk-and-erm-101915.pdf. 

Tadewald, J. (2013). GRC integration: A conceptual foundation model for success. M anagement Accounting Quarterly, 15(3) , 10-23.