JULY 2018CIOAPPLICATIONS.COM9Challenges with ImplementationThe implementation of a GRC solution is not without objection. Challenges such as attaining buy-in from executive management, lack of focus on the underlying business need, and process change are all common setbacks. For instance, a lack of involvement among stakeholders often results in lower adoption rates and hinders the overall success. Some organizations err in focusing on elaborate features rather than understanding their core business requirements and evaluating GRC software functionality for alignment and strategic fit. Consequently, this often results in missed opportunities for improvement as the realization of the underlying business is discovered in the post-implementation phase, resulting in poor implementation and other setbacks. Furthermore, it is important to note that while GRC is practical for the generation of a comprehensive framework for managing risk and improving performance, it is not a replacement for internal control or compliance testing. The success of any GRC implementation is based on four phases and the selection of a proper methodology and risk scoring system. The GRC lifecycle can be divided into four phases: chartering, configuration, implementation, and post-implementation. During the chartering phase, it is determined that there is a need for a GRC solution to improve their preexisting control frameworks. During the configuration phase, it is important to be able to integrate and map multiple control frameworks and standards into the GRC tool, allowing tailored compliance reporting, statements of applicability and a centralized dashboard. System problems are addressed in an effort to ensure stability, securing the availability of data and interoperation with other systems during the implementation phase. The post-implementation phase harmonizes control and audit functions in order to address emerging and reoccurring issues.MethodologiesThere are two standard methodologies to choose from when implementing a GRC program: top-down versus bottom-up and business criticality versus threat driven (Rsam, 2015). Atop-down methodology is more appropriate for organizations where there is a predominant focus on executive level reporting (Rsam, 2015). This methodology gathers risk factors associated with core business assets within the organization, and how business processes will be impacted in the event that assets become unavailable or otherwise compromised (Rsam, 2015). Appropriate controls are derived from these risk factors in order to determine the residual risk for organizational assets (Rsam, 2015). Bottom-down methodology is pertinent to information technology-centric use cases that focus on controls, vulnerabilities, and threats (Rsam, 2015). Threat-driven methodologies works well with identifiable targets such as applications, servers, and vendors (Rsam, 2015) and deliver data on threat-vulnerability pairs that correlate to the impact levels of a given asset; corresponding controls are evaluated to determine the likelihood of it being a consistent threat. Threat-driven methodologies are technical in nature and allot for a broad interpretation of the results of threat-vulnerability pairs. In contrast, business-criticality methodologies are less complex and highly scalable.Risk Scoring SystemA risk scoring system conducts comparisons of different threats and provides a metric for prioritizing risks, remediation efforts, and control allocation. Scoring can be categorized as either qualitative or quantitative. The risk scoring system may be derived from mandates of commonly-accepted security frameworks such as ISO, HIPAA, and PCI or can be an internal proprietary risk methodology. ConclusionGRC programs align business process with risk management in an effort to reduce complexity and inconsistencies. A successful GRC implementation is not without potential roadblocks. Obstacles to implementation, such as attaining management support, lack of competent resources, and process change setbacks, can be mitigated by a structured change management system. Additionally, establishing an enterprise risk management methodology suited to the organization is critical for success. The implementation of a successful GRC program will aid in gaining insight into the internal and external risks associated with business performance optimization, leading to the increase of efficiency, cost reductions, and improvements of overall risk posture (Rsam, 2015). Threat-driven methodologies are technical in nature and allot for a broad interpretation of the results of threat-vulnerability pairsNemi George
< Page 8 | Page 10 >