As regulations increase and recent tech converges, the governance, risk and compliance (GRC) function is quickly becoming more vital to the health, funds and security of enterprises today. Nonetheless, GRC needs support to do its job well, and that requires support from the highest down – which hasn’t at all times been easy to acquire.
Board members need to grasp the worth of GRC today, especially amid rising AI adoption, which introduces a company to recent risks faster than ever. In other words, you’ve got to get the board on board.
Increasing regulations and recent tech
Organizations today face all styles of regulations that they have to comply with. A serious development within the U.S. has been recent rules from the Securities and Exchange Commission (SEC) that require publicly traded firms to reveal a cybersecurity incident inside 4 business days or risk fines.
We’re already seeing the SEC crack down. As an illustration, in May 2024, the Intercontinental Exchange, parent company of NYSE, was fined for failing to reveal a cyber intrusion throughout the required time-frame.
We’re also seeing recent and emerging attempts to control AI use. Within the EU, for instance, the AI Act was enacted in May. Late last 12 months within the U.S., the Biden Administration released an Executive Order: . The order initiates what the Congressional Research Service known as “a government-wide effort to guide responsible artificial intelligence (AI) development and deployment through federal agency leadership, regulation of industry, and engagement with international partners.”
And naturally, these are only the most recent large government actions. A corporation’s industry and site determine all manner of mandates and regulations that have to be complied with – from GDPR, PCI and DORA to HIPAA and countless others.
While AI regulations are still recent, the EU’s rules are prone to function a framework for other countries. And within the U.S., individual states have already begun developing recent laws. As firms rush to adopt AI into their information technology footprint, it’s vital to grasp not only the present regulations but in addition those within the pipeline.
The role of GRC and winning hearts and minds
The GRC function performs the due diligence to assist ensure businesses are meeting all the assorted regulations and compliance mandates to which they’re subject. From driving policies and standards to overseeing risk register to tell decisions, GRC is the gatekeeper of compliance requirements.
Compliance is much from being seen as exciting and glamorous. Corporate leaders can often perceive it as a nuisance; they see it as getting in the way in which of business, but the truth today is that it’s extremely vital to the business. In actual fact, it could even grow to be a business enabler.
For this to occur, though, GRC needs board-level support to do its job well – and that could be easier said than done. One challenge, especially in relation to cybersecurity and AI regulations, is that not all boards are savvy in relation to technology and security. While awareness is growing, a report from September 2023 found that just 12% of S&P 500 firms had a board director with relevant cyber credentials. Getting the suitable information from the suitable places is one other ongoing challenge.
Getting the board to care
One key factor is supporting the CISO and their peers who interact with the board to assist bridge the gap between the GRC function and the board, to assist the latter understand the previous’s importance and value. Education is essential. The board needs to grasp its role and what’s expected of directors when there may be, as an example, a breach that requires disclosure.
Corporations have gotten more advanced when it comes to how they collect and report on compliance metrics, which is an awesome step forward. But there’s numerous information that should be prioritized. Information must be presented in a way that is easy, relevant and comprehensive without being overwhelming.
The board must ask inquiries to ensure they understand the risks that the organization must concentrate on and the actual impact on the business if an incident occurs. It comes right down to giving them the data they need to grasp risk in an accessible way with a holistic view. GRC leads may also help provide that risk quantification.
Five best practices for getting the board on board with GRC
Use these best practices to assist board members work most effectively with the GRC team:
- Inform board members on the danger framework in use to showcase structure and credibility, equivalent to NIST CSF 2.0 or ISO27001. Communicate relevant compliance requirements and their implications in a way that’s meaningful to the business.
- Educate board members on the organization’s use of AI, including how and where it’s using AI across the business and the impacts of its use on compliance requirements and monitoring.
- Engage with external experts to conduct independent assessments of the corporate’s risk profile and supply recommendations.
- Support preparedness based on the standards used through risk assessment and ongoing monitoring, which helps to refine response capabilities.
GRC, security and AI
Successful cyber GRC functions provide consistent data and metrics across all organizational layers, ensuring everyone from operational staff to the board is working with the identical information. In other words, GRC can support each strategic oversight and operational management from the identical information. This approach provides transparency and adaptableness to recent regulations and threats.
GRC has at all times been vital, but now AI has entered the regulatory picture. It’s changing the threat landscape, the operating model, the products and the services. Boards must grow to be savvier in relation to cybersecurity and AI, especially specifics around how the corporate is using AI. Using one of the best practices discussed above, GRC leads have the chance to construct the board’s knowledge of those topics in ways in which can have lasting positive impacts on a company’s security and compliance posture.
