I was recently asked to host a round table discussion on ‘Governance, Risk and Compliance‘ (GRC), and I have to admit I was more than a little excited.

Why?

Because the other people around the table were leading lights in the world of Cybersecurity, Risk and Resilience, and I was looking forward to exploring how a GRC framework can work across industries and learning some valuable lessons from those around our virtual table. 

I was not disappointed, and what follows are some of the key insights and takeaways that are now on my ‘To Do’ list.  If you’re looking to implement a GRC framework, then I suggest they become yours, too.

Seek to understand, then be understood

It was clear from the outset that everyone was in agreement. GRC is often seen as a negative, but it has the capacity to build value and benefit if approached with that mindset. In order to achieve this, however, it was clear there are a number of challenges we must overcome. 

Understanding risk is no easy task. Risk is an ethereal and ever-changing term that means different things to different people, with people willing to accept very different levels of risk. When we talk of risk, we talk in negative terms, and that places us into a negative mindset. 

Therefore, when we talk to businesses, we need to be mindful of this negativity and approach risk from another direction.

Instead of asking “What are the risks involved?” or “What risks are present?,” we need to re-frame the question and ask “What are our goals?” or “What are our objectives?” Once we understand what we’re trying to achieve, we can move on to “What will prevent us from achieving this goal (Read more...)