From the course: Cybersecurity Foundations: Governance, Risk, and Compliance (GRC)
GRC capability model
From the course: Cybersecurity Foundations: Governance, Risk, and Compliance (GRC)
GRC capability model
- [Instructor] All right. You have your GRC program in place and things are going great, but how do you evaluate the program regularly and make sure that you're optimizing GRC activities? We're going to go back to our friends from the OCEG. The OCEG developed an open-source GRC capability model, which shows you how to integrate the different GRC disciplines into a unified approach. The model should be used as a foundation for anyone assessing and maintaining their GRC program, and we will discuss each component of the program here. The four components of the GRC capability model are learn, align, perform, and review. Beginning with learn, you have to know the organization first and foremost. What is the culture? Who are the key stakeholders? What are the current business objectives and goals? You can't start building a GRC program without having a clear understanding of the key factors that will influence your program. Once you've learned about the organization, it's time to align. Alignment involves ensuring that the strategy and objectives are all moving towards the same goal. You want to make sure that the way the organization makes decisions helps address key risk, opportunities, threats, and requirements to push the company forward. Alignment involves discussions about why people made decisions and how these decisions impacted the business. Next up, we have to perform actions to promote the good stuff happening in the organization and remediate the bad things that are not in alignment with our goals. Mature GRC programs can quickly identify gaps in the program and then remediate them before a bad event happens. Most companies will spend a lot of time in the performance stage. It's important here that good activities are rewarded and milestones are celebrated that can keep GRC programs operating well. Lastly, we review. This involves ensuring the design and operating effectiveness of all the initiatives and actions that we are taking. We make sure that these are in alignment with the overall program. You'll typically want a third party to come in and perform this review, and give an objective look at the company and its performance. The GRC capability model is a great way to ensure that GRC activities are optimized, consistently evaluated, and done appropriately. You can use this capability model to facilitate strategic conversations amongst stakeholders and also use it as a framework to schedule out GRC activities. Using the capability model offers transparency and accountability to the company and can be a tool used by GRC professionals to build effective programs. The OCEG has a ton of resources you can explore to use this model, and I encourage any GRC professional to spend some time with this model as you're building out your program.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.