Driving more strategic IT governance, risk and compliance across the enterprise

Today more than ever, with increased digitization of businesses and global access to AI, cyber risk is business risk. In fact, according to the Allianz Risk Barometer¹, “a cyber event is the top global business risk for 2024.” In CGI’s own Voice of Our Clients research, protecting the organization through cybersecurity is a top business priority.

While Chief Information Security Officers (CISOs) face continued pressures to better manage cyber risk, there’s a growing sense that boards of directors are experiencing “cyber fatigue.” As a result, organizations need to better understand the full extent and cost of cyber risk across the enterprise and its ecosystems.

Many organizations have created risk management processes aligned to the ISO 27001 standard for information security management systems. This requires a holistic blueprint that defines essential parameters such as the intended functions (e.g., CISO, internal audit, internal controls, business continuity planning, etc.), scope (e.g., IT risks, business risks or broader), and objectives.

CGI recommends addressing these challenges with minimal impact to resource capacity through automation and optimization such as IT governance, risk and compliance (GRC). IT GRC tools provide software and processes that support an integrated approach for identifying and minimizing cyber risk, while also improving compliance and operational efficiency.

I’ve been a part of many IT GRC implementations for organizations across industries, witnessing firsthand the value of such tools. For example, a large European banking client needed to report on numerous KPIs to meet bank authority requirements. We worked with the client to build their enterprise-wide IT GRC environment step-by-step. This gave them the centralized view they needed to provide the requested KPIs. This has deepened my understanding of the need to have a global vision of an organization's lines of defense beyond cybersecurity governance. 

Achieving more effective and resilient IT GRC

Cyber risk management leaders can spend a lot of time managing and trying to get value from information, but this alone doesn’t necessarily help them reduce risk.

IT GRC tools enable organizations to increase quality and compliance at a lower cost. They allow experts to spend more time on value-added data analysis, and less time collecting and connecting data. Having this infrastructure in place also better prepares enterprises for organizational changes, such as carve ins and carve outs.

Key drivers include:

• Increase regulatory compliance and reduce audit costs and findings. Evolving laws and regulations, such as the General Data Protection Regulation (GDPR), are a top concern. In 2023, for example, approximately €2.1 billion in fines were imposed in the European Union due to GDPR violations—more than in 2019, 2020 and 2021 combined.
• Increase enterprise risk visibility through improved data correlation and modeling
• Improve communication about risks to reduce the occurrence and severity of incidents
• Generate timely and accurate reports to validate progress and support business cases targeted at preventing greater vulnerabilities

Harnessing AI for GRC

IT GRC is evolving to better support business efficiencies by tapping the power of AI and advanced risk analytics. Using AI to automate outputs enables organizations to conduct more granular and detailed analyses of vast data. AI generates comprehensive insights into threats, risks and opportunities, regardless of an organization's GRC maturity level.

AI-powered GRC tools have the potential to enhance business decisions, particularly in areas such as space, critical national infrastructure, and defense, where risk management and decision-making based on real-time big data analysis are crucial.

Effective integration plays a pivotal role in maximizing AI outputs. Further, harnessing AI and its enormous potential while mitigating and avoiding risks requires human-centered AI, responsible AI principles and AI governance.

Although the AI regulatory landscape continues to evolve, the EU AI Act stands out as a pioneering law. For example, it bans AI applications deemed to pose unacceptable risks. As AI tools (including GRC platforms) develop, the legislative landscape will need to adapt rapidly to stay relevant and not stifle advances.

Enterprise GRC vs. IT GRC

The vast GRC market includes both enterprise GRC (eGRC) and IT GRC solutions. Distinguishing the two is complex because the scope and approach of each are not mutually exclusive.

Some eGRC solutions address IT risks, while some IT GRC solutions address business risks across the IT spectrum. The lines can become blurred. However, here are some important distinctions to keep in mind:

• eGRC takes a holistic approach to risk management, focusing on processes and policies across the organization. Solutions address a wide range of enterprise functions and risks, including financial management, compliance, internal control, etc.
• IT GRC focuses on organizational assets such as sensitive information, applications, personnel, facilities and infrastructures. Everything that represents value within the organization is integrated into IT GRC repositories and used to identify IT risks. IT GRC tools primarily address controls, which are key elements of risk analysis, and often integrate IT control libraries or policy bases (e.g., ISO 27001, 27002, NIST, PCI-DSS) or frameworks such as COBIT. They have a more limited scope than eGRC tools and operate in a more specialized manner.

The fundamental role of risk management in addressing cybersecurity is clear. If your objective is focused on IT risk management, which requires the more specialized aspects of IT GRC platforms, what are the key considerations in evaluating such platforms?

Recommendations for evaluating IT GRC platforms

One the global blueprint is defined, key considerations in selecting the right technology to support it include the following:

• Implementation costs. Make sure the implementation supports your operational requirements and accurately assess its scope and required resources. If you lack the necessary internal capabilities, what can your vendor provide?
• Service and product provider experience and ability to deliver. Your IT partners should offer highly experienced teams and detailed implementation plans. If they use an integrator, the integrator should also have relevant experience.
• Adaptation requirements. Consider whether the IT GRC tool you select requires significant configuration or customization. Do you need a platform that can adapt to your security function, or can your security function adapt to the platform and its methodology?
• Cross-functional or modular deployment. Determine whether you need to deploy the entire platform on a restricted perimeter and then extend it or deploy the modules sequentially without a perimeter. Your solution partner should be able to help you address this. This last consideration requires understanding the capabilities of available modules and prioritizing their importance.

Taking these recommendations into account will help you better prepare and execute an IT GRC implementation to improve cyber risk management. If you would like to know more, please contact me. Many colleagues at CGI in our global operations have proven experience in advising clients in this area, including Kunle Anjorin and Colin Selfridge from our UK team, who have contributed to this blog.

¹Allianz Risk Barometer