A major challenge for GRC is that it’s often implemented in silos. How do you move to integrated risk management and what are some critical success factors?
As the scope of risk and compliance continues to grow, more silos have been created than ever before. In the face of this expanding disparate information, traditional approaches to governance, risk and compliance (GRC) must evolve into integrated risk management (IRM). In this interview from Tom Field of ISMG, Galvanize’s President of IT and Cyber Security Solutions, Vivek Shivananda, describes this evolution, what IRM means to organizations and its importance, and the critical factors for a successful IRM approach.
So, integrated risk management–is this the new GRC?
Vivek: That’s a great question. A lot of people ask me, “Is this the new GRC? Is this a new paradigm?” For us, not really. I’ll talk about why it is and why it isn’t. From a GRC perspective, for us it’s more the same. We have been doing this for many years and we have been helping customers with an IRM framework. Now the reason why there’s been a lot of hype about IRM software versus GRC is that traditionally GRC has had a bad rap because it takes too long for certain vendors to implement it. The second reason is, GRC (even though the original intent was to be integrated), organizations started embracing GRC, but it was all implemented in silos. The benefit of overall GRC, the notion of IRM or enterprise risk management (ERM), was never really realized. What I think the analysts and the market is really trying to do is think about it more from a product marketing perspective and positioning to say, “I think that GRC is dead. Let’s come up with a new thing called integrated risk management.”
I think there’s more to it than the perspective that it needs to be more integrated. I think in that way it’s a new paradigm, but it’s not any new technology. It’s the same integrated risk solutions vendors, including Galvanize, who have been doing GRC to help organizations with their IRM. Beyond the technology, it’s also about the organizations and how they are organized and able to embrace a GRC or IRM platform, to really start to work together to make it happen: a tool by itself doesn’t really make organizations talk to each other. You need to have a relationship, whether it’s information security, with audit, or business continuity or corporate compliance. If you don’t have relationships, the tool by itself doesn’t solve the problem.
“If you don’t have relationships, the tool by itself doesn’t solve the problem.”
I think the industry has come a long way in recognizing that we need to work together to manage risk. I think that notion, GRC is evolving into an integrated risk management program from our viewpoint, but it’s not anything dramatically new.
How do organizations that have invested in traditional GRC also evolve into this notion of IRM?
Vivek: Before I answer that question—one thing to realize is where organizations have been in terms of investing in security or GRC. A lot of money has been spent in different types of tools, technologies, and security to try to keep the bad guys out: reduce the number of vulnerabilities, make sure we have the best firewalls, IDS, and so on and so forth.
Organizations have realized that even with spending all that money, they’re not any more secure; I think the attackers are a lot more sophisticated than they have ever been. They have the same, if not better, tools than the organizations. What the organizations realize is that they need to do a better job managing that risk, rather than putting more money into tools. This is another reason and motivation for integrated risk management.
Going back to answering your question: we have organizations spending time and money doing application assessments—vendor risk management software is a big item now. We have all this information of corporate compliance, security ops chasing incidents, and all the vulnerabilities we know we have, but there is no integrated view that answer questions such as:
- “How do I manage all this?”
- “How do I add business context to this?”
- “I don’t have time to fix 1 million vulnerabilities, but if I have time to fix 10, which ones should I focus on?”
For these questions, you need a much more integrated view of risk management that you can add business context with. That’s really what security risk solutions organizations have been trying to do, and companies like us provide the platform to organize all this information and then orchestrate it in a way that can really make the best use of resources.
How is Galvanize helping organizations make this transition into IRM?
Vivek: First and foremost, one of the critical success factors for a good integrated risk solution is to have a really solid reference architecture that really connects all the dots. GRC and IRM are more about big relationships—to a certain extent, big data—but it’s more about big relationships: how you tie a risk to a control, to policy, to an incident. It’s pretty complicated, but we do that heavy lifting so the customers don’t have to.