A guide to IT governance, risk and compliance

Information Age presents your complete business guide to IT governance, risk and compliance

Keeping your business’s governance, risk and compliance (GRC) in check is crucial for resilience in the face of evolving cyber threats, retention of customer trust, and staying in line with data regulations. Ever since OCEG founder Scott L. Mitchell first defined GRC as “the integrated collection of capabilities that enable an organisation to reliably achieve objectives, address uncertainty and act with integrity” in 2007, data standards such as GDPR have been introduced and revamped, while threats including ransomware and fraud have wreaked havoc.

Defining governance, risk and compliance

To determine how to effectively keep GRC in check, we must first clearly define what each aspect means in a business context:

  • Governance entails overseeing how systems operate; implementing a framework of rules and processes required; and establishing constant accountability across the organisation.
  • Risk refers to management of plans in place to mitigate threats to the business, including cyber attacks, IT outages, and system vulnerabilities.
  • Compliance means agreeing to follow government regulations and industry frameworks around data and business practices.

Combined, these areas are equally important in maintaining legal and ethical company operations. With this in mind, we explore what organisations of all sizes and sectors need to keep in mind when it comes to GRC.

Risk management best practice

Risks to your IT infrastructure can range from cyber attacks from threat actors and insider threats — malicious or accidental — to an IT outage due to tech failure, and natural disasters. Whatever the circumstance, it pays to have a backup and recovery system in place to minimise impact. Without such a strategy, data can be lost, and customers will lose trust. In a world where tech now underpins most business processes, leaders can ill afford to leave risk management solely to the IT team.

Securing endpoints wherever they are plays a big part in risk management best practice. This means ensuring that passwords are constantly managed, enforced and changed where necessary, and implementing multi-factor authentication (MFA) to all devices used for work.

Evolution of risks and vulnerabilities in the business will roll on continuously, meaning that the entire infrastructure needs to be tightly monitored. Threat intelligence capabilities tell the story behind data processes, explaining how cyber attacks and other threats entered the system, and where needs to be strengthened. Additionally, patches should be consistently put in place for all vulnerabilities.

Alongside this, the entire organisation needs to be on board, with every member of staff being accountable for keeping the infrastructure secure. This entails establishing a company culture with data privacy and security at the forefront. Ensuring that the workforce is aware of all possible threats and vulnerabilities, and how to help prevent them, is key here.

Related: IT risk management best practices for organisations — Identifying the IT risk management best practices that CTOs must implement to keep the organisation properly protected.

IT compliance tools

To ensure that your IT infrastructure is compliant in line with regulations and ethical frameworks, there are an array of tools available on the market to help streamline the process. Truly successful governance, risk and compliance in today’s ever evolving business world is becoming increasingly difficult for the human eye. To mitigate this, IT compliance tools can aid an array of important responsibilities:

  • Auditing of controls — all data, security and cash flow processes need to be vigorously audited in order to ensure that they meet regulations and ethical frameworks. Many tools on the market can automate this, reducing complexity for staff.
  • Cyber security awareness training — There are tools that can help bolster security awareness training, by hosting phishing prevention exercises and other simulations.
  • Know Your Customer (KYC) — A set of standards set up to ensure that organisations are informed of their customers’ risk management capabilities, and can do business with them accordingly. This is particularly important in the financial services space.
  • Organisation of security and finance documents — it’s vital that all security measures for company infrastructure, and financial controls are well documented and kept in a secure, easy-to-reach location, for the benefit of regulatory bodies such as the Information Commissioner’s Office (ICO).
  • Zero trust — As cyber threats such as ransomware remain at large, zero trust network access (ZTNA) tools only allow users through with the right credentials, and are capable of finding and quarantining threats.

Related: The best IT compliance tools for your business — Looking at some of the best IT compliance tools and methods that are suitable for all types of business.

Big tech regulation

With corporations such as Google and Meta continuing to widen the scope of their data practices, playing a gradually larger role in everyday life, the importance of proper regulation of competition keeps growing, too. The regulation of so-called “big tech” corporation practices has been rising up governmental agendas, with legislation being explored in the UK and EU. These waves of new regulation mean that organisations within and beyond big tech will need to re-evaluate their online activities, to ensure they stay compliant.

The Online Safety Bill in the UK, for example, looks to address any online activity that is “legal but harmful” — a term which has appeared ambiguous for many. This refers to the ethical side of matters, and emphasises the need to uphold positive user experiences. After all, with corporate social responsibility (CSR) playing an increasingly important role in perception held by consumers and talent alike (particularly Millennials and Gen Z), this is key to retaining trust across society.

For such a mission to truly work, in line with regulations, organisations need to have a diverse workforce from the top down, that brings a wide variety of backgrounds, mindsets and experiences. Achieving establishment of a culture entrenched in DEI values, and having teams from different backgrounds involved in design, ensures that possible harm to the user is minimised.

Related: How the regulation of big tech can affect your business — The UK’s pending Online Safety Bill and the EU’s Digital Services Act are designed for the regulation of big tech, but there is the issue of legal but harmful and unintended consequences that can affect your business.

Financial services compliance

Financial institutions in particular have their own regulations to adhere to, given the highly sensitive assets at their disposal. Bodies such as the Financial Conduct Authority (FCA) in the UK help ensure that consumers receive appropriate services, and that competition remains fair across the sector, as well as monitoring malpractice such as anti-money laundering (AML).

The emergence of digital-first banks and neo banks has added another layer of regulatory approaches. Licences fit for either traditional financial services (currently utilised in the US, for example), or more specific digital banking documents emerging across Southeast Asia, are needing to evolve as Fintech continues to innovate.

For banks and other financial institutions to stay compliant, they need to stay up-to-date with changing regulations. Compliance checks need to be embedded into marketing and sales operations. All staff should be trained to have a mindset with compliance at the forefront, and knowledge of the consequences should the organisation breach regulations. Use of automation and low-code capabilities can go a long way in helping financial institutions easily manage their processes, adapting them where necessary without the need for a high-tech background.

Related: Bank IT compliance: how financial services can stay compliant with regulations — Exploring strategies that can help organisations stay on the right side of the law, meeting regulations and industry-adopted standards.

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.