ROI in GRC

Return on Investment (ROI) discussions are challenging regarding GRC solution implementations for two reasons. First, GRC focuses on improving an organization’s risk and compliance status, increasing security controls and finding the balance between accepting and rejecting risks. Second, GRC solution implementation and maturing an organization’s risk and security posture occurs over a course of years. Therefore, ROI calculations may not show immediate (within the first year) financial performance results. However,…

CURRENT STATE OF GRC: THE CHALLENGES

GRC professionals are accustomed to change driven by professional standards or by regulators. Until recently, the vast majority of GRC projects were driven by external regulations or compliance requirements that offered little option over whether, when or how to implement. For example, the Sarbanes-Oxley Act and related PCAOB audit standards drove significant effort and influenced the methodology used to assess internal control over financial reporting. The business case for Sarbanes-Oxley…

A year into GDPR

In the run-up to its introduction on 25 May 2018, everyone was buried in the microscopic details of trying to become GDPR compliant. Much of the focus was on the fact that non-compliance could mean monetary penalties of up to €20m or 4% of total annual worldwide turnover in the preceding financial year, whichever was higher. As a result, little thought seemed to be given to how exactly the GDPR…

What is ISO 20071:2003?

ISO 27001 is the international standard which is recognised globally for managing risks to the security of information you hold. Certification to ISO 27001 allows you to prove to your clients and other stakeholders that you are managing the security of your information. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS). The standard adopts a process based…

Requirement of GRC

The news headlines continue to report on fines imposed by regulators, a myriad of corporate bribery and fraud, and the challenges of driving business growth. This trend only serves to highlight that despite recent investment in compliance, internal audit, risk management, and corporate governance disciplines, significant assurance gaps exist in most corporations. While isolated incidents of one-time governance failures are bound to occur, long-term systemic failures are more than just…