Efficient Data Assessment in GRC Space


In this week’s blog post, we’re sharing insights on data assessment from Joseph Schorr, Vice President Of Strategic Alliances at LogicGate which is a leading provider of cloud software solutions for automating governance, risk, and compliance processes. Joseph is also an advisor to Dreamit Ventures, a Growth program and venture fund focused on pre-Series A healthtech, securetech, and urbantech startups. Joseph is helping founders in the SecureTech program which is focused on cybersecurity, anti-fraud, risk & compliance and physical security startups.

In the last decade, risk managers’ role and how they are assessing data has significantly changed, thanks to risk transformation and digital transformation. These advances also created a solution towards getting more coherent answers based on a mix of subjective data and objective data and reporting your assessment directly to board members and C-suite level executives. This was not always done so effectively — and some technologies made the process even more complicated, or completely skipped the subjective data. On big risk assessments and vulnerability assessments, for example, you might just have to add a lot of data and try to come up with the reporting. The only good solution was to put stuff into Archer, hire really good Archer consultants to build what you want to build and then keep them on staff to tweak and move that make this thing work.

This however, was not the most efficient or scalable solution. The risk industry and the clients needed something much more lightweight, something that lent itself to almost instant innovation and change, something that they could adapt to the absolutely ridiculously rapidly changing compliance regulations around the world and be pretty easy to use. Thanks to companies such as LogicGate, we’ve gotten to the point where advisory consulting firms can use in their engagements doing these big risk transformation projects, but when they leave and put that in place as a solution, the clients aren’t lost, it’s usable without hiring specific software experts each time.

According to Joseph, GRC sometimes has a negative connotation. A lot of times when people hear GRC, they think of PCI and HIPAA, and mainly the compliance part of it, and in general, something you had to but did not want to do. This also ties with a misconception, where thinking that GRC does not in a way inhibit a business. A different way to explain this would be a pilot, who does a pre-flight checklist and looks at everything before turning anything on or flying the plane. However, that doesn’t mean that these pilots are the experts in aviation engineering. Same as not everyone who looks into GRC won’t be risk and compliance experts, but they will still require to have the base knowledge and tools to make correct assessments. People need to start thinking in terms of GRC as a way that you could actually make really critical business decisions and have to make these decisions.

This means that risk managers should be focusing on getting closer and closer to the business. If the risk manager is only talking to their peers in the company meetings, security people and compliance people and other Risk people and worrying about just there piece of the puzzle, they are going to be an abject failure, a risk professional in any company should be talking to the CFO and the chief legal officer, making their presence known, are getting themselves invited in the business discussions. Without knowing the details of how the company is planning to take the next steps or what is exactly going on, they cannot provide good answers that will work for the company in the future. There are lots of things they need to be included into the business things instead of just being the checklist, compliance people — they need to get into the business and start being able to provide some answers.

To be able to provide answers, risk managers need to access the right information. The tough part of it is that they need to quantify some of it because, handing a heat map to someone who asks you for information and saying, “We’re a green or yellow or red” is just not enough. The executives that need this kind of information work on numbers and make their decisions based on such numbers, not colors. The higher you go in companies, the simpler the questions are but potentially might be disastrous for your career. When the executives ask you something really simple and you show them a dashboard with just colorful lights lit up, it is not what they’re looking for.

In essence, any risk manager should avoid this thing that is called “green dashboard disease”. Even if the information at hand is limited, with the current technologies and tools at hand, we are capable of putting the exact data we need to make sure it’s accurate. Then when it’s moved to the executive level, you can start to give answers based on the actual findings and details, even if this decision is based on knowing a part of the puzzle. At this step, it’s crucial to communicate that this is not the full picture, but you’re working on gathering more accurate data. In anycase, reliable data with numbers will be much more valuable than just providing that green dashboard and passing it up to the line. Don’t forget that these executives are steering the ship, but they are relying on you and your risk data to make a decision about which way to go.

Especially with how remote working has become the norm due to pandemic measurements, the whole outsourcing philosophy is on the rise again. According to Joseph, a recent poll in February indicated that a big majority of IT leaders want to outsource security and risk functions. This means that a lot of these major companies may go from having risk departments to having external risk solutions as this also helps them with automation.

As the executives need solutions to come close to being fully automated in general, undoubtedly risk is a part of this process as well. If you’re the only compliance person at a billion dollar company, or with a very small team, anything you can automate on the operational side will make your work more efficient and easier. It will allow you to look into the big picture and enable your company. So this move towards outsourcing and automation doesn’t mean that your career in the company is necessarily at risk, but it is rather a good and managed model to help you do what you should be doing.

Start down with having a great idea, figure out your unique selling point and your MVP. This should be done in a way to ultimately allow you to reach out to investors to get the funding to be able to develop your ideas. Because at the end of the day, without having the cash flow to develop your product you cannot make your idea a reality in this industry. In short, focus on finding investors right after you shape your idea. How good your idea essentially boils down to your MVP, that first kind of a beta that you’d go out and show people and if it solves a problem your target is facing.

One mistake most technical startups face is not considering the money aspect. They focus too much on developing the product without actually getting out there and figuring out if this is the solution people really want. Most of these startups are purely technical with founders that have technical backgrounds. However at the start, the business should still be treated as a sales job one way or another. You have to get somebody who can get out there at least make that first, second, third of the deal and get the MVP in the hands of somebody to really use it. Because once you get that referral, that’s gold and it increases your brand awareness with word of mouth. If you get somebody that’s willing to speak up on your behalf and they’re a good brand, you have a much better chance in succeeding.

Firstly, it is important to get a good understanding of the complex world of risk. This boils down to gathering as much as knowledge and experience along the way, but also on figuring out what kind of industry or information you would like to focus on. Especially when they’re presented with more than 50 critical vulnerabilities, most risk professionals get caught in a decision loop and bogged down a little bit with the inertia as they can’t really figure out what’s most important for their company. So learn to prioritize and focus on the important aspects for your company. You will need to operationalize a lot of stuff to get things done, so also go after how to make your processes more efficient along the way.

Involve yourself more with the business and high level executives. Even if they don’t want you to take a part in discussions related to next steps of the company, or current struggles, make them understand that your assessment is what is going to help them steer their decisions on the right track. Become an asset to your company or your environment, your organization, whatever it may be, and always strive to add more value.

For now, this sums up the key points of our interview. As the Global Risk Community team, we once again thank Joseph Schorr for his insight on data assessment within GRC space. More information about this topic is available in our original interview, which is accessible here.

#risk #GRC #dataassessment #software #business

Founder of GlobalRisk Community - The world's premier online risk forum for professionals and service providers. Sign up to advance your career