Interview: Is Integrated Risk Management the New GRC?

Integrated Risk Management-Vivek InterviewAs the scope of risk and compliance continues to grow, more silos have been created than ever before.  In the face of this expanding disparate information, traditional approaches to governance, risk and compliance evolve into integrated risk management.  In this interview from Tom Field of ISMG, Rsam’s CEO, Vivek Shivananda describes this evolution, what integrated risk management means to organizations and its importance for business context, and the critical success factors for an exceptional integrated risk management approach.

By Katrina Sarabia

So, integrated risk management–is this the new GRC?

Vivek: That’s a great question.  A lot of people ask me is, “Is this is the new GRC? Is this a new paradigm?” For us, not really.  I’ll talk about why it is and why it isn’t.

From a GRC perspective, for us it’s more the same. We have been doing this for 15 years and we have been helping customers with an integrated risk management framework.  Now the reason why there’s been a lot of hype about integrated risk management software versus GRC is that traditionally GRC has had a bad rap because it takes too long for certain vendors to implement GRC.  The second reason is GRC, even though the original intent was to be integrated, organizations started embracing GRC, but it was all implemented in silos. The benefit of overall GRC, the notion of integrated risk management or enterprise risk management, was never really realized.  What I think the analysts and the market is really trying to do is think about it more from a product marketing perspective and positioning to say, “I think that GRC is dead. Let’s come up with a new thing called integrated risk management.”

I think there’s more to it than the perspective that it needs to be more integrated.  I think in that way it is a new paradigm, but it’s not any new technology.  It’s the same integrated risk solutions vendors, including Rsam, who have been doing GRC to help organizations with their integrated risk management.  Beyond the technology, it is also about the organizations and how they are organized and able to embrace a GRC platform, or integrated risk management platform, to really start to work together to make it happen: a tool by itself doesn’t really make organizations talk to each other.  You need to have a relationship whether it’s information security, with audit, or business continuity or corporate compliance.  If you don’t have relationships, the tool by itself doesn’t solve the problem.  I think the industry has come a long way recognizing that we need to work together to manage risk.  I think that notion, GRC is evolving into an integrated risk management program from our viewpoint, but it’s not anything dramatically new.

How do organizations that have invested in traditional GRC also evolve into this notion of integrated risk management?

Vivek: Before I answer that question—one thing to realize is where organizations have been in terms of investing in security or GRC. A lot of money has been spent in different types of tools, technologies, and security to try to keep the bad guys out: reduce the number of vulnerabilities, make sure we have the best firewalls, IDS, and so on and so forth.

Organizations have realized that even with spending all that money, they’re not any more secure; I think the attackers are a lot more sophisticated than they have ever been. They have the same, if not better, tools than the organizations. What the organizations realize is that they need to do a better job managing that risk rather than putting more money in tools.  This is another reason and motivation for integrated risk management.

Going back to answering your question: we have organizations spending time and money doing application assessments — vendor risk management software is a big item now.  We have all this information of corporate compliance, security ops chasing incidents, and all the vulnerabilities we know we have, but there is no integrated view that answer questions such as:

  • “How do I manage all this?”
  • “How do I add business context to this?”
  • “I do not have time to fix 1 million vulnerabilities, but if I have time to fix 10, which ones?”

For these questions, you need a much more integrated risk management view that you can add business context with. That’s really what security risk solutions organizations have been trying to do, and companies like us provide the platform to organize all this information and then orchestrate it in a way that can really put the best use of the resources.

How is Rsam helping organizations make this transition into integrated risk management?

Vivek:  First and foremost, one of the critical success factors for a good integrated risk solutions is to have a really solid reference architecture that really connects all the dots. GRC and integrated risk management is more about big relationships — to certain extent big data — but it’s more about big relationships: how you tie a risk to a control to policy to an incident.  It’s pretty complicated, but we do that heavy lifting so the customers don’t have to.