Securing the Digital World

7 Steps to a GRC Risk Management Framework – 6: Enterprise Risks & Controls

Sep 04, 2017 | by Marshall Toburen |

With this post, we’re closing in on the end of our series on the seven steps to build a GRC framework for information risk management. I hope you’ve found these comments on dealing with risk in a business context helpful as you consider how to approach risk management in your organization. I also hope you’ve had a chance to look at the complete guide to the methodology (or at the executive summary or eBook) and that the practical information shared there will help you build a solid GRC-based framework for managing information risk. In this post, we’ll talk about the importance of documenting enterprise-wide processes, risks and controls as part of your efforts. 

Enterprise-wide documentation is a vital step because if you want to exert control over activities that create risk—such as unauthorized persons accessing information categorized as important and at risk—you have to be able to identify those activities. And documenting information-related business processes is how you do that.

Consider, too, that not all activities that affect an organization’s risk profile are necessarily IT-related. Think about activities such as hiring employees, engaging third parties, educating employees on security best practices, and handling physical, as well as digital, information. To provide for effective enterprise-wide information security, you have to address areas like these through policies and procedures, ongoing education, and programs for vetting new employees and contractors, as well as for assessing and managing third party-related information risk.

Keep in mind that as you build this framework, you’re examining the business processes and outcomes that can introduce risk to the organization. The framework, based on the principles and practices of governance, risk and compliance, allows you to see risk in a business context and provides you with a practical construct for managing it effectively.


You can learn more about how a GRC framework for managing information risk can help you align security and business priorities in an exclusive RSA webinar on the seven steps to build a GRC framework for information risk management.