THINKING ABOUT THE PROCESS
Capability Maturity for Governance, Risk management, and Compliance

Some years back, Governance, Risk management, and Compliance, whether separate from each other or coordinated as “GRC”, were rather unwelcome by organisations. Not only they cost money, but also they were complicated and required serious and continuous effort by more than the people originally appointed to “take care of this” (and who, at first, most likely had to tend to GRC matters as a part-time endeavour next to their regular day-to-day tasks). A lot has changed since then.

The world of regulatory compliance has evolved and the number of requirements is constantly increasing. Nowadays, organisations have accepted that they have to conform to rules (some set by external entities and some at the corporate level) and are being more and more often challenged to respond to a multitude of regulatory and business requirements and requests. At stake are significant financial penalties (for instance, GDPR violations) and serious reputational damage, so GRC is evolving to be seen as an investment (or insurance) and is becoming an inseparable part of the business.

But how can you manage this ever-changing, dynamic process efficiently? Might adopting a Capability Maturity Model be a good method for improving your organisation’s GRC? And what could jumpstart your organisation to an acceptable CM level?

While no two organisations are the same and whichever reasons your organisation might have for setting up (or having set up) its GRC programme, the aim is the same: Protect your business – it’s as simple as that!

This could involve: reducing risk, improving operational quality, increasing predictability of outcomes, and perhaps (secretly or openly) getting some return on investment (by minimising/avoiding waste, fraud, and other business/operational disruptions). And this could be achieved in all kinds of ways, following different methods. But the more aligned and well-integrated your GRC processes are, the more likely it is that your GRC programme will be successful.

In terms of a GRC Capability Maturity Model there is plenty posted on the internet; I will not go into that. But if you wonder at which CM level your organisation is at, a quick appraisal could be made as follows:

Level 0 – Inexistent The organisation has hardly given GRC any thought yet.

Level 1 – Ad-Hoc The organisation has no dedicated personnel or has not assigned roles. Whenever a GRC-related issue comes up, someone from the top management will “somehow” deal with it in an ad hoc manner.

Level 2 – Repeatable The organisation has assigned roles and responsibilities to specific people within the organisation; but in many cases, these people also have other, sometimes even conflicting, areas of responsibility. Certain GRC-related issues are performed regularly because they “have to be done”. The people responsible for these tasks might start semi-automating some of their tasks, such as using spreadsheets for reporting and acquiring some GRC skills while having to figure things out on their own.

Level 3 – Defined The organisation has assigned roles and responsibilities to dedicated resources with GRC knowledge/experience. However, at this stage the rest of the organisation still have a “not my business” mentality and expect not to be involved in GRC matters. This is partly correct as the GRC department has documented processes and procedures, compliance evidence is regularly collected, and the consequences of non-conformity are clear. The organisation has invested in point-solutions but might also be looking at integrated GRC tooling.

Level 4 – Measured & Controlled The organisation’s GRC programme has managed to reach all business levels of the organisation (also including its subsidiaries – on the other hand, supply-chain compliance is still difficult to manage). Major GRC processes are being measured for performance and sustainability and Key Performance Indicators (KPIs) are used to keep the higher management up-to-date. Processes are being modelled and executed in dedicated GRC software.

Level 5 – Optimising Every employee participates actively in the GRC programme depending on their particular job function. Supply-chain compliance is integrated. GRC processes are constantly evaluated for effectiveness and efficiency. A continuous improvement approach is applied at regular time intervals. Software solutions drive efficient process execution and allow management to gather meaningful data about their GRC state.

If you find yourself at one of the lower levels, you might wonder how you can climb up and perhaps even skip a step or two, if possible. Without putting too much thought into the details, I would like to suggest that investing in a good GRC software solution could help you rise to at least Level 3, possibly 4. Obviously, just owning a GRC tool will not do this, but with some effort it could truly accelerate your progress enormously.

Our GRC-Boxx was not built with Capability Maturity in mind, but it ticks a lot of the boxes all the way up to Level 5 (for example, with a built-in supply-chain compliance module) and a lot more functionality to help you continuously improve! GRC-Boxx will give you the handles to assign ownership appropriately, organise your compliance programme as a continuous process (and not a one-off project), and manage all processes in an efficient way that suits you and the pace of your organisation.

Have a look at it and feel free to contact us if you would like to know more about it!

maturity-isnt-a-product-of-growing-older-its-a-product-of-growing-wiser
Compliance benefits
A rather different pentest

We have been subjecting our infrastructure and applications to annually-recurring penetration tests for years. However, last week, a different penetration “test” took place… and as it turns out: inadvertently!

Someone broke into our offices by forcing a window open, went through our office space, even broke into our server-room, and left with … nothing?!

Of course, we were shocked at first! We saw on photos taken by our security-cameras the perpetrator using a screwdriver and brute-force to open locked doors and we saw the perpetrator moving swiftly from room to room…

The next morning we took inventory of the damage and also of all computer equipment that was in the office. We have been maintaining a detailed and up-to-date Inventory of Assets and could quickly conclude that there was nothing missing! This was in accordance with our expectation after the initial study of the security-camera footage: the perpetrator spent a meagre 7 seconds in our server-room, leaving the room while still holding the screwdriver in one hand, as when entering it. Moreover, the entire “visit” in our office space took no more than 3 minutes or so.

Nonetheless, we checked carefully whether tampering with any systems had taken place (e.g. by leaving a USB-Stick inserted, adding/removing cables, re-wiring components, etc.) but again, this was not found to be the case.

And, thus, we were (and still are) somewhat baffled as to the purpose of the break-in. Our hunch is that it was totally unexpected that all the office lighting would turn on triggered by movement sensors. Additionally, because the office has mostly glass walls, there is hardly any place one can stay out-of-sight from bypassers (mind you, it was dark outside and brightly illuminated inside and still quite some people were leaving their offices). And last, but not least, the presence of our security-cameras might have also indicated that a silent alarm had been raised and time was limited…

So, all’s well that ends well! And then we realised that we had a unique opportunity at hand and decided to treat this incident as a (physical) penetration test! We looked at what went well for us and what could have gone worse. We realised that our Clear-Desk, Clear-Screen, and Password Protection policies, as well as our Asset Management are working efficient! And as an improvement, we will soon be adding a security-camera for an area that was not entirely covered.

Of course, we would have rather had this test be played out as a simulated test than be confronted with this real-life situation; but we will grab any opportunity to learn from this incident!

server-room break-in
burglar - duh
GRC-Boxx genesis #2
THE MONTH OF AUDITS!

For us, January is the “month of audits”. In the early days of setting up our compliance programme, we thought it would be convenient to have all the audits occur within a very short period of time. Well, you know… to get them out of the way! And then, with compliance “out of the way”, we could tend to other (more) important business during the rest of the year … until December came again and we ended up having to spend the holiday season working to review policies and processes and registrations, analysing risks, etc., and perhaps even sacrificing one of our personal new year’s resolutions for a hopeful “next year we will do this differently”…

Of course, we soon realised that compliance is an ongoing process and not a fire-and-forget effort. An organisation that claims to be truly compliant, should be compliant at all times and be ready to respond to any situation and even pass a full audit at any given moment! And this requires more than time, effort, and commitment; it requires good organisation. But how can you organise all your compliance tasks, without creating an unmanageable to-do list or filling up your calendar with countless recurring reminders?

We took this into account when we developed GRC-Boxx. GRC-Boxx has “process” in its heart. And every process (such as S.M.A.R.T. objectives, PDCA-cycles, document reviews, risk management, issue handling, recurring registrations, and everything else) would have its own lifecycle supported. And that is what GRC-Boxx does and it does it well! After you spread out tasks in the course of the year and assign ownership and responsibilities, GRC-Boxx will notify the right people at the right time that a task should be tended to (and will escalate appropriately if things do not get done timely). And thus, I can sit down and write a blog article instead of stressing about the upcoming audit next week!

at work during dinner
GRC-Boxx genesis #1
Still using spreadsheets for tracking compliance?

When I took up the role of compliance manager, I was starting from scratch. It was thus not long before I became overwhelmed by the number of requirements we would have to comply with and all the evidence to be collected for each of these. And it was only logical that I resorted to using spreadsheets to track it all.

After all, a spreadsheet made sense! A column for requirements and columns for evidence, their owner, file location, modification date, etc., and status. Added formulae for some sort of insight and reporting, and “intelligence” such as colour-highlighting based on status and dates, and we were set! Alright…spreadsheets would not notify me when things went wrong or became overdue, but surely with some macros and integra…

No. Stop!

Spreadsheets are great for storing, manipulating, and analysing data such as accounting and payroll information; but they are not a process or project management tool. They lack user-rights at the cell level*, audit-trail*, version control*, and are terrible with (inter-)linking information, process workflows, notifications, integrations, and more…

It was at that point that I realised another solution was necessary and we, at Grexx, used our low-code, workflow-enabling platform to develop a basic governance, risk management, and compliance application quickly. At first just for our own use; but soon enough there was enough interest to turn it into a fully-fledged product.

GRC-Boxx was born!

And, now, a few years down the line, GRC-Boxx is full of functionality to make any spreadsheet obsolete!

*with the exception of Google sheets

spreadsheet hell cartoon
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in the form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.