Now RSA Archer has published a ‘key findings’ document on that summit. It shows that while GRC is increasing in importance within the enterprise, it is paradoxically beginning to lose its separate identity. GRC as a discrete discipline is fading. “Instead,” says the document, “participants reported they’re increasingly integrating GRC processes into enterprise/operational/information risk management programs.”
This appears to be in line with the growing realization that security itself needs to be, but isn’t yet, treated holistically. The same problem is seen with GRC. Although this problem is recognized, the summit showed that enterprise risk is still largely managed in silos. “We need to prioritize across many groups within the enterprise, not just within each silo or group,” commented one participant.
Nevertheless, the overall concept of risk management is gaining in importance and increasingly becoming “a C-level and board-level conversation.” One participant said, “[The board is] starting to get it: regulatory pressure, news items. What really gets them is, ‘How do we know the problems being reported in other places are being taken care of here?’” They know by an increasingly close relationship between GRC and the board.
But overall, GRC suffers from the same problem that afflicts every other aspect of security: the need, but difficulty, to demonstrate strong ROI to the board. The problem, said one participant, is that GRC is “a hard-dollar cost, but it’s a soft-dollar return... The costs are consolidated but the benefits are shared.” His solution? “We’ve begun to analyze our impact so we can begin to talk about savings in other places, even though it may not ‘belong’ to us.”