Information is the most valuable commodity to any organisation regardless of where they operate (defence, law enforcement, local & central government, industry, etc) and the demands to protect information assets is paramount in the face of ever-increasing and ever-changing threats from both within and without.  While good cyber security hygiene will address some threats, it is only when an organisation implements a fully co-ordinated approach that threats are truly addressed and risks managed.  Therefore, there is a clear need to implement supporting business-orientated frameworks or structures to further manage how all information assets are used, shared and protected.

Which is where Governance, Risk (management) and Compliance (GRC) comes in.  Most organisations will already be familiar with this concept but may have taken a siloed or even unstructured approach for each activity with too much emphasis on one particular area.  Here at Advent IM, we understand that GRC requires a coordinated approach that requires each element to be considered equally.  For example, an effective risk management programme requires good governance structures to be in place and must also be aligned to the organisation’s compliance requirements.

GRC can mean different things to different organisations but at Advent IM we summarise GRC as:

• Governance – The management system through which an organisation governs a particular aspect of its business (in this case security) using a combination of policies, procedures and processes. At the heart of which is a formal governance framework providing leadership, direction and a sense of purpose; dedicated roles with properly defined responsibilities; and, finally, accountability for security across the whole of the organisation.
• Risk – The consistent and repeatable processes through which an organisation identifies, analyses and manages/responds to risks that might positively or adversely impact the realisation of its business objectives.  Responses typically depend on an organisation’s risk appetite and the potential gravity should the risk materialise.
• Compliance – Management processes that identify and enable compliance with all applicable laws, regulations, contracts and strategies and then assess compliance against such on a regular basis.  Such activities may be determined by the organisation’s industry sector, its location or by its own risk management policies and processes.

As an established security consultancy, we have years of experience in providing GRC advice and guidance to UK and overseas organisations in line with best practice and as relevant to the sector/industry within which they operate.