Blog | September 28, 2020 5 MINS

Combatting GRC Complexity: A Blueprint for Mapping Common Control Frameworks

Featured Image

GRC is a complex initiative by nature – spanning various types of control frameworks and practices to measure, monitor, and ensure the business’s health is in line with business objectives. In this blog, we’ll focus on how organizations can optimize compliance tracking and take a proactive approach to maintain and measure operations.

Register for the webinar: “The Compliance Paradox: Why GRC Initiatives Should Never Slow You Down” on October 13, 2020 at 11:00 am EST. 

Do You Over-Comply?  

The compliance team’s primary function is to apply already established rules designated by leadership for internal governance. Other external mandates include regulatory obligations necessary to operate, as well as industry certifications and that help the business achieve its overall goals. The idea here is to work within these ever-expanding mandatory processes, not to create new ones. However, compliance teams inevitably develop additional methodologies and tasks to report on practices across the business. One of the driving factors to this paradox is the nature of the compliance language. The general text is often boiled down to vague terminology, so it can be applied on a broad scale. This can result in organizations interpreting their own rules.

Finding A Common Language, Standardizing Across Control Frameworks 

There is a lot of overlap between different initiatives, including security, privacy, and internal governance practices. But this can quickly be lost across various interpretations and specialties. Agreeing on your organization’s definition of a control framework is typically accomplished in the legal and compliance department. Other times the standard is translated, applied, or delegated from an authorized auditor, such as firms who specialize in ISO compliance. Several services and database resources provide research, updates, and explanations on regulatory developments and control framework updates such as OneTrust DataGuidance.  

De-Duplicating Efforts Across Control Framework Practices.  

Having a coordinated team of “translators” to standardize individual control frameworks is the first step in rationalizing multiple control frameworks. The next step for these teams or sources is to cross-reference one control framework to the following standard. To review and validate that the practice is related and achieves the intended outcome of the control framework.  

This is a backward approach to what should be an outcome-driven process. Still, for organizations that have wide-spread and established compliance practices, this is often a necessary exercise. For organizations looking to upgrade a custom or legacy GRC program, this is a painful reality. All the control records in this scenario will need to be identified and re-written, amounting to significant technical debt to build efficiencies for their current needs.  

Alternatively, suppose you are building a new risk management program or investing in a new implementation on an agile GRC platform. Fortunately, GRC system configuration does not require the same amount of customization that GRC leaders of the past needed to operate and deliver insights.  

Our team of GRC professionals will be discussing this and more during our upcoming webinar, “The Compliance Paradox: Why GRC Initiatives Should Never Slow You Down.” 

  • Infrastructure features to help you measure once, comply many through integrated control mappings 
  • Examples of standardization to help extend GRC for the line of business contribution 
  • Automation to improve your response time and reporting efforts 

You already have a GRC strategy, now how can you best leverage a modern application to realize new efficiencies? Register today to join our discussion on this topic!  

Onetrust All Rights Reserved