|
SEARCH |
|
|
15 GRC Myths
Myth #1 - IT is the center of GRC
Reality: IT is not the driver of GRC. Business is the only driver and where the buck stops. IT is only a component of the overall picture.
Myth #2 - It is acceptable to operate GRC in silos
Reality: If GRC is placed in silos, then coordinated efforts will undoubtedly fail. Placement in silos may also lead to political games being played out and competition for budget being fought for and potentially lost.
Myth #3 - Technology is the basis for GRC
Reality: Technology has in reality been a serious contributor to the GRC issues addressed earlier in this paper. Having technology solutions to assist with assessing is a requirement, but remember, GRC must support the people efforts as well. You can.t take a firewall to court; GRC is a .people issue. to deal with.
Myth #4 - Risk assessments ensure all GRC requirements are met
Reality: Like IT, Risk is another component of GRC and cannot be depended upon for the final work on compliance across the organization. Risk has many guises; it is imperative that the organization understands the risk methods being employed and that the coordinated results are combined to provide an overall risk posture and understanding to the organization.
Myth #5 - The more controls you have the easier it is to adhere to regulations
Reality: Having many controls to choose from is like going to a restaurant that has an extensive menu. The dilemma is too many choices, and when you eventually order the meal you think you want you quickly find out it.s not what you really wanted. Too many controls can drive a company down this road. All of the main control infrastructures are designed to support business and be internationally recognized, providing a good level of assurance and trust.
Myth #6 - Unified Control Infrastructures save money and make life easy
Reality: Unified control infrastructures are a combination of many control infrastructures and have been created primarily to try to ease the use of control infrastructures across an organization. The thought behind unified control infrastructures is to work with only one infrastructure rather than many. Unfortunately, the more controls you create the bigger your problem becomes. There is a saying in the compliance industry, .Every control you implement has a cost to the organization.. Using unified infrastructures could force organizations to implement controls where controls are not necessarily needed, incurring unwarranted costs. One GRC technology solutions provider has 2,500 main controls and 10,000 sub controls supporting their infrastructure. To work with this number of controls is a potential issue and can be extremely costly to organizations trying to comply.
Myth #7 - International regulations applied to national requirements is an acceptable practice
Reality: Only the actual laws of the land are acceptable to each area. During Consult2Comply.s review process in GRC, we have seen vendors offering alignment to regulation and standards from other countries, specifically Australia and New Zealand . the AS/NZ prefix.
Myth #8 - If a business adheres to regulations alone, the business is compliant
Reality: Regulations are the .tip of the iceberg.. (Refer to the Consult2Comply GRC Model and definition of terms for additional requirements.)
Myth #9 - Self Assessment is a waste of time
Reality: Self assessment and self review of results are essential parts of complying with GRC requirements.
Myth #10 - Once a control infrastructure is implemented you can forget it
Reality: GRC is a moving target. GRC must be coordinated throughout the organization to ensure overall adherence. Continual improvement is a specific requirement of GRC activities. Unless this is undertaken, the chances are your GRC initiatives will become redundant and the organization will be:
. Wasting money, and
. Open to litigious opportunities from the outside.
Myth # 11 - You don.t need policy to adhere to GRC
Reality: Policy is the foundation of all GRC activities. Without effective policy there is no intent in the organization to effectively monitor measure and manage GRC. Before embarking on any GRC initiative, ensure policy that supports the initiative is present and has been endorsed by the appropriate management.
Myth #12 - Conforming to certain controls of a control infrastructure ensures compliance to the infrastructure
Reality: Technology solutions have a tendency to offer a compliance score based on a minimal number of controls being implemented in specific areas. These scores can be extremely misleading and provide management with an incorrect assumption on compliance adherence. For example: Physical Security of a computer facility - Locks and controls for physical access ensure conformance to the specific controls but do not offer compliance to the overall standard. In other words, receiving a 77% score for compliance to a standard instead of receiving a conformance score of 77% to the specific controls misleads compliance professionals and provides a false sense of security (In security terms a .false positive.).
Myth #13 - People aren't important; technology is the way forward
Reality: People are the mainstay of GRC . Compliance. GRC covers many aspects of the business from hardware, information, software, people, facilities, branding and so on. People are the ones to undertake GRC activities and report on the overall compliance . technology can only support this.
Myth #14 - Delegation of accountability and responsibility is acceptable
Reality:
Myth #15 - Budget won't be a problem
Reality: Budget is always an issue with Management. Common faults are:
|
|