The complete guide to defining roles and responsibilities in an integrated GRC management system: how to align expectations and gain organisation-wide insight
One of the main reasons why many organisations struggle with demonstrating the progress and value that comes from compliance management systems is because, right from the beginning, they fail to identify, define and align expectations regarding the overall roles and responsibilities relating to the compliance management system.
This difficulty often has a significant impact when it comes to aligning expectations regarding the involvement of the entire organisation and the amount of insight and value that is expected to be gained from the yearly GRC activities.
As a compliance officer or information security officer, your success is highly dependent on support from the whole organisation (including business managers from HR, Sales, Finance, Marketing, Customer Success, etc.) and the initial approval of your definitions of the roles and responsibilities.
This article will discuss the importance and long-lasting benefits of clear definition and approval of roles and responsibilities in an integrated GCR management system and provide a detailed template suggesting how they can be attributed and the elements that need to be considered in this process.
Why do organisations fail to define all relevant roles and responsibilities in the GRC management system?
There is often a tendency to skip the formal definitions and there are several different reasons for this, which we will explore below:
Firstly, to define the relevant roles and responsibilities accurately, you need to have a full overview of the tasks that lie ahead – not only in the design phase, but also in the implementation phase and when the compliance program must be continuously checked for its effectiveness. Many companies do not have many successful compliance projects in their backpack to refer to and lack understanding of what will be needed.
Secondly, in many places, defining the relevant roles and responsibilities requires challenging some traditional ideas of what compliance is, and what it takes to succeed. In the Board of Directors’ room, it needs to be acknowledged that being compliant impacts the entire organisation – from Finance, to Sales, HR, Marketing etc. And it takes more than just hiring a compliance officer with the right education and skillsets in GDPR, ISO 270001 – it takes skills in communicating the strategy and the ability to align and involve many people in the organisation, even when their main interest is not compliance.
Mapping out the roles and responsibilities also requires that you to challenge the company’s overall compliance aim and attitude. How does this link to the must-win strategic battles that are set on the highest level of the organisation? What are the consequences of not involving the organisation? What insight can you provide to the CFO or the CEO, if you can relate your compliance requirements to your core business processes?
As an independent, umbrella function, GRC can transcend IT, operations, corporate, internal audit, finance, sales and so on, allowing you to put common policies in place that span your organisation. With a solid GRC strategy, your organisation, strategic and business planning becomes better informed – not only reducing your vulnerability to risk, but also ensuring you’re better prepared to take full advantage of opportunities for growth.
If you succeed in selling the idea that compliance can be a necessary means for reaching strategic goals to the Board of Directors, then there will be numerous benefits. For example, if you can focus on the brand impact of ‘Being known as a company that takes good care of their customers’ data’, then you can set similarly bold demands, including that all business operation areas (HR, Sales, Marketing, etc.) become persistent players in gaining control of the company’s overview of dataflows and risks – whether they’re about GDPR, CCPA, or other IT security standards.
If you’re finding it difficult to convince the executive team of the company-wide importance and business alignment benefits that come from an effective compliance strategy, take a look at our blog post on how to secure your compliance budget and buy-in from the executive team.
When these difficulties have been counteracted, the actual work of defining roles and responsibilities in the system can begin. It can seem like a complex task where there is minimal previous compliance strategy in the organisation, so we’ve laid out an example of who could be defined for roles and how to ensure you’re selecting the correct people and ensuring maximum value.
How to define relevant stakeholders in your compliance management system
Depending on the size and the complexity of the company, the roles and responsibilities of course can vary. The below examples show how responsibilities could be mapped out, but it’s not necessarily the exact solution to suit every organisation, but the reasoning can help you understand how to select the correct people for you.
The examples of responsibilities are all related to ongoing tasks, and should be maintained yearly as a minimum. As many of these stakeholders are new to the world of compliance, planning and designing a good structure for governance is even more important, because it will increase understanding and setup for future success.
The central role: The Board of Directors
The Board of Directors are the key players in any compliance setup, as they are responsible for setting the company strategy – including risk management.
The typical setup: Chief Financial Officer managing responsibility
In many companies the responsibility of Governance Risk & Compliance is placed with the CFO, who is expected to deliver reliable and timely information about operational risks to the Board of Directors from GRC management and Finance.
The placement of GRC responsibility in Finance is often dependent on the reasons behind the investment in GRC, so it is often seen when GRC is implemented for compliance and audit reasons only, rather than a source of business value. The risk of placing the GRC responsibility at the CFO is that they may have too much of a silo-based view on risk, where it is viewed only as a cost-reducing activity.
The incentive to implement an intelligent and powerful GRC platform on which to build strategic business insight and value may not be a persuasive argument for the CFO, if the benefits of the investment are spread across the organisation rather than directly related to Finance alone.
An ideal first line of defence
A more appropriate approach to defining roles and responsibilities which also provides a solution to the silo-based approach is to adapt the “Three lines of defence” strategy that is already implemented in many of the more “mature” companies – especially those from the Financial sector – who have more years of experience when it comes to figuring out how to implement regulations and frameworks.
By this framework, the first line of defence includes the following:
Operational managers across the business: Process owners
The first line of defence involves operational managers across the business who take ownership and accountability for assessing, controlling and mitigating risks in their areas. This accountability involves:
- Formally describing overall business processes and their formal purpose to the organisation.
- Identifying underlying processing activities and their owners.
- Identifying relevant risk scenarios.
- Assessing potential inherent and residual impacts and probabilities of risk scenarios.
- Implementing relevant controls in their area to mitigate the risks.
- Identifying contracts and data processor agreements signed with vendors related to the process and underlying activities.
Representatives in all relevant business areas: Activity owners
Aside from the operational managers, it is equally important to involve the owners of the activities that operate in the business to gain insight into the core of the business.
During the past three years, the activity owners across enterprise organisations have already experienced an increasing interest from risk & compliance departments, related to what information they process, how and why. This is mainly due to the implementation of GDPR article 30 that requires companies to document their processing activities in detail.
With a silo-based approach, many GDPR responsibles document and maintain this list of activities year after year, without utilizing the information to other risk areas such as finance. security, environment, health, safety, M&A, etc.
For many organisations, a large amount of their resources in the compliance management system could be minimized by planning exactly what to ask the activity owners and how to utilize this information to multiple regulation areas and security frameworks.
Employees should only be asked the same question once, and then an integrated GRC management system must be planned to maximize the business value to gained from knowing so much about each business operation area. (insert link. to blog about interrelated datamodel maybe).
The main responsibilities of the activity owners are:
- Formally describing the activity.
- Identifying which categories of information are processed as part of the activity.
- Identifying which external sources provide information as part of the activity.
- Identifying systems where information is processed and stored.
- Identifying which third parties (data processors or independent data controllers) are receiving information as part of the activity.
- Performing tasks that implement specific security measures or controls to minimize risks.
Contract managers: Contract & Third-party owners
Many parts of an organisation’s business operations are usually outsourced or dependant of an external party, in some way or another. Therefore, a large part of the compliance system involves the contract manager.
Again, a lot of value and time is to be gained by delegating the roles and responsibilities of the third parties and contracts, thereby utilizing one common overview of the third parties and underlying contracts the organisation depends on.
The main responsibilities of third-party owners (or contract managers) in the compliance management system include:
- Keeping a thorough record of which contracts should be in place for each vendor, and the status of each contract.
- Documenting any sub data-processors and their access to sensitive and personal information.
- Documenting the geographical location of each third-party (and documenting third country transfers).
- Assessing third-party impacts – based on input from business operations regarding information processed and transferred to each third party.
- Identifying relevant contract measures per contract.
- Performing audits to ensure adequate implementation of organisation and technical measures at each third party.
IT: System owners
System owners in IT have traditionally been quite isolated in the information security management system. While it still is relevant to assess the risk of loss of confidentiality, integrity and availability from a system point of view, many system owners are lacking the link from process risks to IT systems which contribute to identifying, prioritising and implementing adequate security measures in the organisation. The above integration of business insight to the risk management approach will increase the likelihood of better and more strategic decisions in IT.
The main responsibilities for system owners in the compliance management system include:
- Assessing IT inherent risks in relation to the mapped-out use of each system by business operations.
- Identifying which security measures and controls are defined, and the implementation status of each system.
- Contributing to defining policies and procedures for specific technical security measures.
- Performing tasks that implement specific security measures and controls to minimize threats, vulnerabilities and risks in each system.
An ideal second line of defence
The second line of defence is provided by the specialistcontroldepartments of compliance, risk management and quality control. This line of defence monitors and facilitates the implementation of effective risk management practices by operational management and assists the risk owners in reporting risk-related information throughout the organisation.
It could make sense for a second line of defence in your organisation to consist of a committee including resources such as the information security officer (CISO, risk management officer, compliance officer, data protection officer (DPO), CFO, etc. )
CISO, internal or external (Information Security Officer)
The main responsibilities of the CISO in the compliance management system include:
- Defining the company’s Information Security Policy, including overall goals, KPIs, business risk profile, risk tolerance, budget, roles and responsibilities.
- Designing annual risk assessments at process level and/or system level.
- Performing annual threat and vulnerability assessments.
- Defining information security policies and procedures for security controls and security measures for implementation in processes and systems.
- Validating and evaluating the effectiveness of planned and implemented organizational and technical controls.
DPO, internal or external Legal Counsel
These are the main responsibilities for the DPO or Legal Counsel in the compliance management system:
- Defining the overall privacy / GDPR policy / strategy, including objectives, privacy risks, risk profile, risk tolerance, and objectives.
- Monitoring and ensuring quality in the yearly data flow analysis.
- Designing privacy policies, deletion policies and organisational measures to minimize identified risks.
- Implementing processes to ensure adequate legal basis.
- Designing annual privacy impact assessments.
- Designing transfer impact assessments.
- Monitoring and ensuring quality in the implementation of organisation measures across business operation areas.
- Aligning implementation projects with CISO, CFO, CSR-officers, contract managers, etc.
Third line of defence
Internal audit make up the organisation’s third and final line of defence – working as an independent internal audit function that provides assurance to the organisation’s board of directors and senior management on all risk and compliance related matters.
This article has offered an example of how roles and responsibilities could be defined, and with the knowledge of what each one should relate to, it should provide the grounding for taking the first steps to define these in your organisation – whatever your setup or specific needs.
With a more integrated risk management approach in play, it could be said that GRC need not ‘report’ into anyone at all, and with a structured approach combined across the organisation, the strategy is far more likely to succeed and provide insights and benefits across the entire organisation.
With a more integrated risk management approach in play, it could be said that GRC need not ‘report’ into anyone at all.
If you’ve interested in finding out more about how to optimise roles and responsibilities in your GRC management system, please do not hesitate to get in touch and one of our specialists will be happy to help you.