GRC Has Become a Requirement for Risk Management
Next Logical Step: An Integrated View of Risk
A Vertical View of Risk
In the early days of GRC, independent functions were focused more on operational risks with less emphasis on connecting to the strategic business impact. Business and IT were essentially separate functional parts of an organization and there was little connection between these two worlds. That changed as enterprise GRC became a requirement of risk management.
Today, when business and technology are intimately connected (or at the very least, mutually influential), risk management must link operational risks to business strategies and vice versa. Security events are one example. Security-related incidents must be prioritized based on the business context of the systems, data and processes involved to understand the business impact of a security event. Another example is building audit plans based on strategic business objectives – not just a historical ‘we always audit these business processes’ approach.
The relationship between strategic business goals and business operations is the key to this vertical view of risk. A decision made at the strategic level will cascade down and affect the organization’s ability to execute business operations; a seemingly minor operational event can spiral out of control and impact strategic direction. Thus, connecting the top-to-bottom, strategic-to-operational view of risk is essential to truly understanding, and addressing, the obstacles to achieving business objectives.