12 tips for implementing GRC

Driven largely by compliance requirements for the Sarbanes-Oxley Act of 2002, many organizations are adopting a governance, risk and compliance (GRC) tools to help manage their activities in these three areas. GRC suites and toolsets automate the collection, correlation and reporting of information to offer a broader picture of how well the company is not only performing, but also how well it is complying with the law and managing risk.

But there are many factors to consider -- from initial steps, like whether or not to invest in the technology, to making the case for ROI on the software, to evaluating how well the GRC suite is giving you the information you seek.


We asked members of Wisegate, an invitation-only, business-social-networking group launched last year and comprised of CSOs and CISOs who want to privately share information with each other. Several of their veteran security-professional members offered the following tips for getting GRC right.

Dave Notch, CISO, Thomson Reuters

The big tip for me is don't try to get it perfect, even though you may know what you want. Take an iterative approach. This lets you make progress and learn what yours and others' requirements really are. Which leads me to my second point:

Expect to throw away some of your work. As you learn what the different audiences need, you will have to throw away some of your work. Don't take it personally -- this is just part of the learning process.

Get a handle on your assets (and this has nothing to do with tool selection.) Unless you know what you have, it will be difficult to quantify what is wrong. We tiered our assets into 3 categories and those became the lenses we used to look at things.

Build a team that spans legal, HR, product, IT, and security. Work together regularly. This will help keep all of you from duplicating each other's work, such as policy development. Also, this makes it easier when you step on each other's toes. We are so matrixed in big companies these days that this is going to happen. Don't take it personally if you step on each others' toes -- and work together deliberately which makes this a lot easier to work through when it does happen.


Kristen Knight, Privacy Director/Sr. Privacy Officer, NA Philips Electronics North America

Make sure you understand the operational impacts of the product before you commit to it. GRC products are all-encompassing by nature. Even your company's top executives will be impacted by a GCR implementation, so make sure they are willing to go through training and to adapt to the new system. If I had fully understood the product when I was purchasing it I would have realized the unlikelihood of training a busy executive on how to use it.

It takes a mature organization with well-defined processes to deal with the work-flow capability that a GRC tool provides. The work flow aspect of some solutions may require everyone in the organization to understand how to use it. The workflow of the product we chose meant that everyone had to learn how to use it, like, for example an organization's expense reporting tool. That didn't work for us since only a small number of privacy officers were the ones who had the expertise to accurately respond to the survey/questions.

Recognize that implementations can take much longer than expected. At the same time, don't be afraid to pull the plug if the implementation isn't going well. You just to make it work because we wanted it to be a success.

Tom Malta, Senior Technology Risk Executive in financial services, including Goldman Sachs, Morgan Stanley, and BNY Mellon

Understand that this is a tool that requires care and feeding. A program around GRC must be in place with proper policies, procedures and workflow. If you don't have procedures and workflow around GRC, it can be easy to use what the tool has built-in.

Communicate extensively. Make everyone aware of the phased approach to using the toolset.

Getting a good GRC framework in place doesn't have to be all about new tooling -- there are some simple things you can introduce immediately to your program to help manage your risk and compliance initiatives, such as the addition of reporting dashboards tied to (functional or corporate) key risk or key performance indicators (KRI/KPI).

Jeff Bardin, veteran CISO from Investor's Bank & Trust, State Street Bank and Hanover Insurance Group.

Perform a proof of concept deploying all modules of the tool as part of the PoC. If the PoC is successful, then you should try to use the instance for your production. If at all possible, following this process helps you cut costs and develop a working toolset quicker.

Most GRC tools come with connectors that enable quick integration with other security technologies and data feeds. Use them to reduce time and costs.

Join the CSO newsletter!

Error: Please check your email address.

More about GoldmanMellonMorganMorgan StanleyPhilipsPhilips Electronics AustraliaRequest DSLReuters AustraliaTechnologyThomson

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts