(The MorganFranklin Way)
By Michael Welch
The regulatory compliance landscape is complex, and cybersecurity risk is only growing. Managing risk and ensuring regulatory compliance now and in the future means building a GRC program that is sustainable and compliant by design, not just checkbox compliance.
The MorganFranklin Approach to Compliance
MorganFranklin advisors have extensive experience in building GRC programs to meet organizations’ unique needs. Based on this experience, we have developed the following approach to designing a sustainable GRC program.
Step 1: Understand the Situation
Every organization is different, and a GRC program needs to be tailored to an organization’s unique needs and business drivers. The first step in the process of building a GRC program is understanding what the customer needs out of the program.
This starts with learning the goals of the program. Is the objective to achieve compliance with regulations or is it to manage corporate risk? What does compliance mean to the organization? Is it regulatory statutes, standards and frameworks, policies and procedures, or contracts and commitments?
With an understanding of the goals of the framework, it’s possible to go deeper. MorganFranklin works to understand every level of a customer’s ideal GRC program from top-level frameworks through policies and procedures to the roles & responsibilities, change management and the specific controls that need to be implemented. This understanding is essential to tailoring a GRC program to an organization so that it both meets its needs and is sustainable.
Step 2: Focus on Risk
Risk is literally at the center of GRC. An effective GRC program identifies the risks that an organization faces and ways to reduce that risk to a level that the organization is comfortable with.
This starts with an understanding of the organization’s risk appetite or the amount of risk that it finds acceptable. In a highly regulated environment, risk appetite may be low, requiring significant investment in risk management. Other organizations may have a higher appetite for risk. A company’s risk appetite is determined by its executives and the board, which is one reason why gaining executive buy-in and support is a core tenet of MorganFranklin’s strategy for GRC policy development.
Based on an organization’s risk appetite, it is possible to identify methods for managing this risk. These include mitigating it through security investment, transferring it via insurance or outsourced security, and accepting it. MorganFranklin advisors draw on extensive industry experience to help organizations draft a risk management strategy that works for them.
Step 3: Take the Wider View
Cybersecurity risk is only one type of risk in enterprise risk. An effective GRC strategy integrates with the rest of the business and aligns with the organization’s corporate culture, goals, and processes.
A GRC strategy that runs counter to corporate culture and processes is not a sustainable strategy. A GRC program needs to provide clear benefits to the organization. While achieving regulatory compliance is an important first step, GRC can’t stop with compliance.
MorganFranklin advisors help with designing a program that benefits the organization as a whole. This includes everything from identifying how to tie GRC to existing processes to achieving the buy-in required to make the program sustainable. By working from the top-down rather than the bottom-up, MorganFranklin helps to build a program that meets an organization’s needs both now and in the future.
Step 4: Build the Program for the Long Run
Cybersecurity risk and compliance requirements are not going away. A GRC program needs to be designed and built in a way that makes it usable and sustainable. This includes both building the GRC program to align to the corporate culture and goals and to design the program to operate effectively for the long-term.
Basing GRC programs on spreadsheets and manual review isn’t a long-term plan as GRC grows more complex. However, solutions exist that make GRC management easier and provide organizations with the tools needed to pass audits, perform third-party risk management, and present effectively to the board. MorganFranklin advisors help to identify the right tools for an organization’s situation and configure them to support a sustainable and scalable GRC program. Our goal is to align the business objectives, risks, strategy, people, process, and technology to provide governance and compliance oversight.
What Makes MorganFranklin Different
A company has several options when selecting a partner to help with building a GRC program. What makes MorganFranklin different is our commitment to tailoring the process to the organization.
Every organization is unique with different needs, and MorganFranklin is committed to helping them succeed. This involves building a long-term relationship, where – when compliance requirements, enterprise risk or business needs change – a company has a trusted partner to turn to.
As a full-service cybersecurity firm, MorganFranklin has the background and the experience needed to identify what is not working and find a way to remediate the problem. This focus on flexibility and long-term, continuous improvement is crucial to a sustainable GRC program and is what makes MorganFranklin stand out from the rest.