Governance, Risk Management and Compliance
Updated: Jan 18, 2022
Author Swetha Kannan
Note: This article was compiled by Swetha Kannan with significant research from various Security Training forums/websites.
Governance, Risk Management and Compliance (GRC) Professionals integrate GRC practices into existing corporate entities and their policies and procedures to ensure compliance and reduce risk factors. By working collaboratively with the accounting, IT and other departments, GRC Professionals create an ethical strategy to achieve company goals.
What is Governance, Risk and Compliance?
Governance risk compliance (GRC) is a method for managing and strategizing an organization's regulations regarding governance, financial or physical risk, and regulatory compliance. It aligns the IT aspects with business objectives and works to improve the efficiency of a company. There are GRC consultants and GRC analysts who provide an assessment of a business’s GRC, identify risks, analyze the data, develop policies to benefit the workplace, and consult on the best choice of action. Your duties may involve optimizing GRC systems, implementing tactics to lower risk, providing internal audits, assisting with cybersecurity, creating routine reports, and ensuring regulatory compliance.
Career in GRC
In today’s business world, the effective transfer of information and seamless function of business processes are crucial commodities, which is why a career in GRC can prove highly rewarding. One must understand the founding principles of GRC in order to embark on a successful career in the GRC industry.
‘GRC’ is a term that encompasses the Governance, Risk and Compliance policies a company has in place. GRC allows companies to assimilate and manage IT operations that are subject to regulation. The objective is a systematic approach, a single framework, for managing GRC-related strategy, so as to reduce costs and complexity.
In GRC jobs, professionals focus mainly on creating efficient processes, facilitating effective information sharing and reporting to avoid wasted resources. Using GRC principles, Accounting, IT and other departments can operate collaboratively to achieve company goals.
Jobs in GRC comprise three main areas of focus:
Governance - Corporate governance consists of the set of processes, policies, objectives and laws that determine how a corporation is controlled.
Risk - Risk pertains to an auditor not unearthing mistakes or deliberate miscalculations (i.e. fraud) in financial statements.
Compliance - Compliance is adherence to a business’s regulatory procedures.
How Can I Get a Job in Governance, Risk and Compliance?
If you want to get a job in governance, risk, and compliance (GRC), you need to pursue a bachelor's degree in computer science, information technology (IT), or information systems management.
Due to the nature of the job, experienced Audit or assurance professionals or Risk management professionals (1-2 years' experience) are preferred
Employers may also look for candidates with qualifications in cybersecurity, and you may need a few years of experience to qualify. Initial experience in IT Assurance, IT Risk Assessment/Management, IT Audits, Compliance Assessment can be very helpful to transition into a GRC role.
In order to successfully perform a GRC role, one needs knowledge in Risk Management, Governance, Compliance, Regulatory Management, ethics, Information Security, and decision-making.
There are various security certifications available through online courses that help prepare you for the job's responsibilities. You must be familiar with cybersecurity frameworks legal and regulatory compliance policies and information system standards. Additional qualifications include strong technical skills, analytical thinking, and excellent communication.
A bachelor’s degree in business management, computer science, information systems, finance and/or other related fields is usually required. One or more years of related experience is preferred. Professional certifications for GRC Professionals include the Certified Fraud Examiner (CFE), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), Certified Information Systems Auditor (CISA), and/or Certified in Risk and Information Systems Control (CRISC), GRC Professional (GRCP) Certification.
Tasks and responsibilities
The overarching responsibilities for a GRC professional can include:
Reviewing the company’s adherence to best-practice processes for efficacy and ascertaining internal control risks.
Developing systems to ethically organize and manage the business.
Guide management in regards to policies, regulations, applicable laws and compliance issues
Sample job Duties and Responsibilities
Perform other duties as assigned to ensure the smooth functioning of the department and maintain the reputation of the organization as a viable business partner.
Recommend programmatic and technical directions and operate with a high degree of independence in matters relating to the investigation, impact, and analysis of security incidents, decisions regarding risk, and measures for computer and network security.
Operate with a high degree of independence with regard to project management activities, including development of project plans and budget/resource estimates.
Lead the development and implementation of the system-wide risk management function of the information security program to ensure information security risks are identified and monitored.
Internally assess, evaluate and make recommendations to management regarding the adequacy of the security controls for the University's information and technology systems.
Lead the system-wide information security compliance program, ensuring IT activities, processes, and procedures meet defined requirements, policies and regulations.
Develop and implement effective and reasonable policies and practices to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation.
Execute strategy for dealing with increasing number of audits, compliance checks and external assessment processes for internal/external auditors, PCI DSS, ITAR, HIPAA, NIST 800-171 and FISMA
Interacts in both oral and written communications with all levels of System staff including; Computer center staff, developers and other ITS staff, campus technical staff, general counsel, auditors, and all System staff and students and technology vendors and contractors, in matters related to information security and security awareness materials.
Work with Internal Audit, State Board of Regents, Auditor General's Office and outside consultants as appropriate on required security assessments and audits
Coordinate and track all information technology and security related audits including scope of audits, colleges/units involved, timelines, auditing agencies and outcomes. Work with auditors as appropriate to keep audit focus in scope, maintain excellent relationships with audit entities and provide a consistent perspective that continually puts the institution in its best light. Provide guidance, evaluation and advocacy on audit responses.
Must be able to assess computer hardware, software, and systems for security risks or violations and work with ITS and campus staff and technology vendors to recommend solutions. Develop strategies to address awareness and training for all stakeholders as well as technical solutions. Must be able to assess the status of complex multi-location projects as well as identify and implement appropriate corrective measures to resolve issues as they arise. Must have a strong customer service orientation and the ability to project that attitude to customers in remote locations.
About the Author: Swetha Kannan has over 6 years of experience in cyber security consulting working across several industrial sectors. She currently volunteers with Cybertrust America, a non-profit organization, as a Tech Lead and Director. Swetha is also actively involved in mentoring beginners and spreading awareness around cyber security