iG^src is a proof of concept GRC tool which I have been developing for over a decade. The decision to develop my own GRC solution was driven by budget and personnel constraints coupled with a need to evaluate an ever increasing number of MS Excel, MS Word and other documents that contained critical information with no way to “bring it all together.” The iG^src tool is not intended for enterprise environments. Instead, my aim is to help “lone wolf” security managers as well as consultants who provide Information Security, Data Privacy, Risk Management and similar services for their customers. The iG^src tool is MS Access based and therefore requires no installation while leveraging MS Access’ relational data management, reporting, and visual basic for applications (VBA) functionality. Moreover, completely backing up all of your audits, risk analysis, etc. is as simple as making a copy of the database.

To improve our understanding of the requirements of a Governance, Risk, Compliance, I will discuss the concept of iG^src which builds upon the traditional GRC concept by adding IT and Security as well as calling out the fundamental importance of Governance. In the following paragraphs, I will discuss the five components that form the iG^src concept:

I (Information Technology) – Information Technology (IT) is fundamental to all modern businesses and yet many GRC solutions treat it as a given or an afterthought. Alas, a failure in the IT department, be it from natural, technical, human or malicious causes, will result in a failure in the supported business processes. As such, I have given IT special consideration in the iG^src concept. The IT component of the iG^src concept includes all of the IT Infrastructure, applications, processes, employees and the relationships between these items. The foundation of any GRC initiative must be to understand and document the IT environment upon which the other components will rely.

G (Governance) – Governance has the only capital letter in the iG^src concept for good reason: without governance there is no GRC. Governance includes all of the management decisions made at all levels to direct the organization to achieve the desired results. Governance includes not only the policies, standards and guidelines but also how management conducts itself. For example, a policy prohibiting employees from accepting gifts will do no good if employees see management regularly accepting them. In a nutshell, Governance places the expectation on management that it will clearly state what is expected and then will live up to those expectations, especially when no one is looking.

S (Information Security and Data Privacy) – The importance of implementing sound information security cannot be overstated. If your environment is not secure then there is no way to adequately evaluate your risks and the compliance reports your organization generates will literally not be worth the paper they are printed on. Security involves all technical and administrative controls which are reasonably required to ensure that organizational data remains confidential, is not manipulated in unauthorized ways (integrity) and that the data is available when the organization requires it. The purpose of security is NOT to ensure 100% security which might stop the organization from working but, rather, to ensure that, through the use of risk management, controls have been implemented which meet the organization’s requirements. I’ve included Data Privacy (which may be seen as more of a compliance topic) in the security section because the two topics are in many ways the opposite sides of the same coin. Properly implemented information security will go a long way toward ensuring data privacy and likewise, implementing the requirements for Data Privacy will help improve an organization’s security posture.

R (Risk) – The Risk component includes all risk management activities across the organization. While many organizations talk about risk management, I believe that many are not achieving the benefits they could if they collected all of their risk management information in a single repository. This would allow risk managers to view the information from different viewpoints as well as to aggregate risk data from the smallest IT component in a system through the risk that results from operative decisions and external factors such as environmental, geopolitical, terrorism, etc. Key in the risk management process is to ensure that there is common agreement on how risk is evaluated. Using different methods to review risk will make it difficult to aggregate risks across an entire organization. I also stress the need to look at Black Swans, that is, risks that have a very low likelihood of occurring but have a catastrophic impact when they do occur. A prime example would be terrorists flying airplanes into the World Trade Center. I also stress the importance of “thinking the unthinkable” to ensure that potentially risks are not simply disregarded because they are considered “far-fetched.” To make risk management easier for the individuals who are on their own I have automated the processes to the greatest extent possible. I have also developed a formula for calculating risk which is used consistently throughout the tool.

C (Compliance) – The ultimate goal of any GRC program is not Compliance. Compliance is simply another element of risk management that needs to be evaluated on a case by case basis. If, for example, the cost of complying with a regulation is significantly higher than the penalties for non-compliance, then some organizations may choose to accept the risk of being caught and having to pay the penalty. There are, of course, organizations, such as government agencies, which have no option but to comply while other organizations understand compliance as good citizenship. Problematic with compliance is that each country, in which an organization has a presence, will have its own compliance requirements which may sometimes be contradictory. Regardless of how an organization chooses to deal with Compliance risk, the minimum any organization should do is to understand their compliance requirements. All compliance requirements should be collected and managed in a single location. This is time consuming but it will save effort in the long run because a control implemented for one compliance requirement may be the same control for a different requirement. If, for example, the HR and Finance departments each manage their compliance requirements in separate tools they may find themselves duplicating effort as each tries to implement the same access management control. In the coming weeks, I will be posting more information on iG^src but if you have questions, comments or suggestions please feel free to reach out to me