Securing the Digital World

Big C or little c – The C in GRC, Quantifying Risk Compliance

Sep 29, 2020 | by Chris Patteson |
Man looking at monitor with RSA Archer GRC tool on screen

When talking about the "C" in GRC there is a big C and a little c. The big C is your compliance program, the little "c" is just another risk. How do you quantify the risk of being non-compliant? The stakes can be pretty high.

To kick off the conversation, I wanted to start with establishing some groundwork. I am a big supporter of the "IRM" movement of giving organizations a singular view of risks as they relate to their business practices. It is the only practical approach as Cyber, Regulatory, Compliance, and 3rd Party risks continue to become further entangled in value delivery chains. However, I disagree that Governance Risk and Compliance is dead. It remains core to supporting IRM programs and is a subset of that larger goal. Why?

R - All of these Risks still need to be collected, rationalized, measured and evaluated somewhere?

C - Risks that do not fall into the "accept" or "avoid" categories are often mitigated by a set of controls that need to be tested for Compliance on some periodic basis.

G - The policies, practices and standards surrounding all of this work falls under a common governance program.

Now RCG as an acronym does not roll of the tongue easily, and there have been recent debates on David Spark's Defense in Depth series of which comes first Risk or Compliance. So, you could go with CRG. Others will say you need the Governance in place to get the whole thing off the ground. The proverbial 3-legged stool. Regardless, I do not think you can have an IRM program without a Governance Program that Manages Risks and tests/validates for Control Compliance.

So it is that last one, "Compliance" that also gets very, very confused. I have always said there is "big C" . . . your overall compliance program over controls that are in place to mitigate all kinds of risk in your Integrated Risk Management program. Then there is "little c", why little c? The risk of Non-compliance to a regulation. It is just another risk along with all the other risks out there. It needs to be accounted for and quantified.

Story time...

Prior to COVID one of the favorite parts of my job was traveling around to work with customers on taking their programs to the next level; to this concept of IRM. I hope that I can get back out and do this again very soon. What is fascinating is that no matter the industry vertical, no matter the region of the globe the struggles with quantifying risk are often very similar. On one of my trips to Singapore, I was working with a number of customers and we were discussing the risk of compliance with the Personal Data Protection Act with an executive and a number of team members. They had a very mature risk program, a well-defined risk register, the kind of discipline I had learned to expect out of a Singaporean business entity (If you have ever been to Singapore you understand what I am talking about).

With an increase in breaches globally there was a bit of a regulatory crack down underway and this team was working to quantify the little c risk. This is where the conversation centered, as some of you may have heard this in my talks...

"We have identified many risks in our risk register around this regulation, we are working to quantify this to build a business case to improve our controls"

"Interesting, I only see one risk"

"How do you get to that conclusion"

"What is the probability that the regulator shows up? And What will the impact of the fine be?"

"Then what have we captured in the register?"

Without even having to look at the register I suggested

"You likely and correctly identified parts of the business where the risk may be higher, failures of certain controls, and other 'elements' that will help define the risk I suggested"

So here this the FAIR-ly well know challenge for examining a risk (FAIR practitioners already know where I am headed).

If you can't assign a dollar range and a "most likely" value; along with a probability (e.g., "once a day", "once a decade") you are likely not looking at a risk. It is something else! It is not that time and effort collecting that from the 1st line of defense is wasted; it is actually quite valuable! My favorite term for these "non-risks" is "Risk Telemetry" they are bits and pieces of intel informing your understanding of the actual risk. What is the probability the regulator is going to show up, and what is the fine going to be for any non-compliance ("little c").

There are two fairly simple ranges that can be estimated and modeled to evaluate against all of your other risks.

Start with the easy one. How big will the fine be. There is usually plenty of press out there around the size of such fines, they are public cases, widely discussed. You have the telemetry that shows your risk posture and you should be able to estimate a good range of what that would be? Think about secondary losses / costs for legal and or public relations work if the finding were to be significant.

The second part of the very common risk equation is a bit more complicated, but can it be estimated. Is the likelihood of this happening monthly, annually, once in 5 years, once a decade? To get to this you should consider your industry space, how aggressive are the regulators? Is there a normal cycle or only if there is a significant event? Is there active whistleblowing going on in the industry? How is company morale?

These estimates can be loaded into the top level of The Open Group - Open FAIR™ Risk Analysis Tool  ( and simulated to get loss exceedance curves. The tool will also allow you to simulate residual risk as you estimate the impact that closing compliance gaps would support. The tool allows you to adjust the number of Monte Carlo simulations to run based on the data and is very easy to use to get a "first estimate"

An additional option requiring some additional estimations is FAIRU's tool. It is also free and part of the offering at To get loss exceedance curves out of this tool you will have to give additional consideration to secondary losses as well as your overall risk/control posture from a "resistance" perspective. That said this tool is a bit more self-guided, but will require a bit more knowledge of using FAIR for Risk Quantification.

So wrapping this up:

1. When talking with team members about "compliance" be sure to clarify if you are talking about the "risk" of being non-compliant and being fined (little "c" – just another form of risk), or the performance of your compliance "program" which evaluates all of your controls and countermeasures (big "C" – the C in GRC, your program!).

2. We quickly walked through how to look at compliance risk, little c, and quantify its impact to the organization using some basic estimations and freely available tools.

Archer focuses on addressing both big C and little c, offering the tools to manage compliance across your organization while at the same time providing multiple risk quantification methods enabling organizations to evaluate where compliance risk falls within your overall risk universe. You may be surprised when you start to quantify your risk in real dollars.

This gets into another topic on why GRC is still VERY important, the need to protect information around risk posture is often quite confidential and should likely be stored in its own platform.