The expert's guide to Distributed GRC
Introducing the Expert's Guide to Distributed GRC
This expert guide explores the challenges of managing risk and compliance in distributed organizations. We also delve into insights provided by renowned GRC analyst Michael Rasmussen on the 6clicks Hub & Spoke model, which offers a solution for distributed GRC. Additionally, we examine the concept and characteristics of distributed GRC, emphasizing the importance of effective management in a distributed environment.
The challenges of distributed organizations
Organizations often grapple with the complexities of managing risk and ensuring compliance across different departments, hindering their ability to obtain a holistic view of their overall risk landscape. The ever-evolving nature of risk and compliance poses significant challenges for organizations at every level, from the board to management and specialized risk and IT professionals. Within an organization, various units and departments have distinct needs and compliance standards that they must adhere to, along with exposure to different third-party risks.
Consequently, disparate approaches and systems emerge organically throughout the organization to track and monitor compliance activities. This fragmentation makes it exceedingly difficult for organizations to understand their overall risk posture comprehensively. As a result, there is a constant risk of either overestimating or, conversely, underestimating risks due to the absence of standardization and aggregation when reporting on these risks.
As organizations expand, transactions, data, processes, relationships, and assets multiply, making it increasingly challenging to impose a unified process for analyzing and reporting on various aspects of the business. Even if an organization appoints a chief compliance officer, a decentralized approach to compliance often prevails. This leads to what GRC expert Michael Rasmussen has termed "scattered silos of compliance," where departments operate in isolation, with limited collaboration and resource sharing, ultimately failing to grasp the broader picture.
This fragmented view of risk can distort an organization's understanding of its true risk status, impede the maintenance of accurate risk information, and hinder effective responses to regulatory changes or emerging risks.
The challenges in GRC processes are compounded when outdated, spreadsheet-based, or paper-based methods are employed. These antiquated approaches are not easily shareable or actionable, often reducing spreadsheets to mere documentation rather than effective compliance monitoring and management tools.
Conversely, some organizations adopt a centralized, one-size-fits-all approach to compliance. While this approach may offer cost-effectiveness, it presents difficulties for organizations with multiple departments that have distinct compliance requirements. Such an approach can create the perception among departments and individuals that compliance is solely a reporting exercise, diminishing their sense of ownership and leading to reduced visibility and control. Furthermore, this approach fails to consider the unique needs of individual department functions.
Insights From an Analyst
Michael Rasmussen, world-renowned GRC analyst and owner of GRC 20/20, published a solution briefing on the 6clicks Hub & Spoke model, which is designed to support organizations running distributed GRC, where he outlined the problems distributed organizations face today:
The world of business is distributed, dynamic, and disrupted. It is distributed and interconnected across a web of business relationships with stakeholders, clients, and third parties. It is dynamic as the business changes day by day. Processes change, employees change, relationships change, regulations and risks change, and objectives change. The ecosystem of business objectives, uncertainty/risk, and integrity is complex, and interconnected, and requires a holistic, contextual awareness of GRC – rather than a dissociated collection of processes and departments. Change in one area has cascading effects that impact the entire ecosystem.
The interconnectedness of risks and compliance requires 360° contextual awareness of integrated governance, risk management, and compliance (GRC) within a business and across businesses. Some organizations have an operating model that allows subsidiaries and divisions autonomy but still needs centralized consistency and reporting. Professional service firms also engage diverse organizations in a consistent framework and methodology and look to do benchmarking across clients. Across these various businesses, organizations need to see the intricate relationships of objectives, risks, obligations, commitments, and controls. It requires holistic visibility and intelligence of risk in the context of objectives. The complexity of business – combined with the intricacy and interconnectedness of risk and objectives – necessitates that the organization implements an integrated GRC management strategy, process, and architecture that can allow distributed and diversified businesses to work autonomously but provide some consistency in management and reporting.
In the end, organizations need to reliably achieve objectives, manage uncertainty, and act with integrity. This requires a 360° view of governance, risk management, and compliance within the organization and its relationships supported by an integrated information and technology architecture. Many organizations also require some level of autonomy within distributed businesses and operations while still providing centralized governance and reporting. This is also a need within professional service firms that manage a portfolio of clients in a GRC context. Organizations facing these challenges should look for technology that enables distributed and autonomous businesses to manage GRC in their context while still providing centralized governance, reporting, and benchmarking.
Read the full perspective of Michael Rasmussen of the 6clicks Hub & Spoke model in this solution briefing.
What is distributed GRC?
Distributed GRC describes organizations managing a risk and compliance function that oversees distributed teams, departments, or businesses, regardless of industry. Typically these organizations need to enforce best practices, optimize and automate risk and compliance, and require rolled-up reporting and analytics across their entities.
Common examples of distributed GRC are:
- Organizations that are managing GRC programs across:
- Organizational divisions or subsidiaries
- Geographical regions and/or jurisdictions
- Portfolio companies and related, managing the due diligence of acquisition targets
- Healthcare networks
- University systems
- Local, state, or federal government departments
- Distributed entities
- Product lines
- GRC service delivery to clients through consultants, advisors, systems integrators, or managed service providers (MSPs)
- Managing risk registers across multiple product lines, business units, or teams
- Managing an enterprise risk management program
- Managing organizational entities whose risk and compliance needs are widely varied
- Managing compliance regulations or certifications across multiple product lines, business units, or teams.
- Reporting on GRC programs across hierarchical organizational structures
- Managing sensitive projects and authorized personnel access across GRC programs
These examples demonstrate the wide range of scenarios where organizations face the challenge of effectively managing risk and compliance in distributed environments.
The characteristics of effective distributed GRC
Effectively implemented distributed GRC exhibits several typical characteristics that contribute to the efficient management of governance, risk, and compliance programs across multiple entities. These characteristics include:
- Clear Segregation between Entities: Distributed GRC enables the clear separation and management of GRC programs across various entities within an organization. These entities can encompass subsidiaries, departments, regions, franchises, private equity portfolio companies, service clients, healthcare networks, university systems, state municipalities, and more. The segregation allows each entity to operate autonomously while still being part of a larger GRC framework.
- Centralized Management Capabilities: The central GRC team within the distributed GRC structure possesses management capabilities that promote standardization and oversight. Personnel in the central GRC team can create predefined assessment templates, policies, risks, projects, and incident response playbooks, ensuring a consistent approach to GRC across entities. They can also support individual entities by providing guidance and support.
- Autonomous GRC Programs: Each entity within the distributed GRC structure can largely operate autonomously, enabling them to adopt GRC functionalities at their own pace. This flexibility ensures that entities can implement GRC measures aligning with their requirements and maturity levels.
- Individual Data Management: Distributed GRC allows managing data at the individual entity level. This is especially important for sensitive, private or critical data. Organizations can manage data individually, maintain granular control over GRC activities and ensure data security and privacy.
- Content Management: Distributed GRC facilitates content management across a distributed business model. Organizations can customize and tailor the GRC content within their instances while also accessing standardized content provided by the central governing body. This allows entities to leverage predefined content (and language) as well as develop and manage their own custom content based on their unique needs.
- Cross-functional Data Visibility and Reporting: Distributed GRC consolidates data from multiple entities, providing a single-pane-of-glass view of the entire GRC landscape. This allows organizations to curate a holistic perspective on governance, risk, and compliance, irrespective of the number of separate entities managed. Templated reporting further enhances this visibility, ensuring real-time and comprehensive risk reporting across all entities. Effectively implemented distributed GRC reduces audit fatigue and streamlines reporting processes by enforcing standardized data collection and reporting.
The above characteristics empower entities to manage their GRC programs effectively while benefiting from centralized oversight, standardized approaches, improved reporting, and enhanced scalability.
How 6clicks helps with distributed GRC
The 6clicks Hub & Spoke architecture for centralized GRC practices was built for organizations running a distributed risk and compliance function across multiple teams or businesses. The 6clicks Hub & Spoke model provides customers with a flexible way to run GRC programs across multi-entity organizations and use cases. It allows organizations to centralize their risk and compliance functions while empowering and providing teams with the autonomy they need to succeed. Think of it as multi-tenancy for the Enterprise or managed clients.
Hub & Spoke is the perfect solution for large businesses, multinationals, franchises, private equity firms, government agencies, and MSPs requiring a centralized risk and compliance function that spans multiple teams, departments, or businesses. With the Hub & Spoke model, organizations can quickly and easily define the hierarchical structure that works best for them, which includes parent-child relationships between entities.
The Hub makes it possible to define risk and compliance best-practice and content centrally, which is 'pushed down' to Spokes (teams, departments, or businesses) that utilize the full suite of 6clicks GRC modules for day-to-day activities. Consolidated reporting and analytics are rolled up at the Hub level, giving the organization comprehensive, aggregated reporting and insights across all Spokes.
Designed to grow with you, 6clicks Hub & Spoke provides both flexibility and control for organizations managing multiple autonomous entities.
Examples of Distributed GRC With 6clicks
Holding company with many subsidiaries
A holding company may own and operate hundreds of offices or subsidiaries across many countries or jurisdictions. This is especially true for organizations that grow through acquisition. For this use case, the 6clicks Hub & Spoke model enables such firms to manage each subsidiary, categorized in its respective region, autonomously and in a highly scalable manner (i.e. the ability to handle the growth of multiple subsidiaries per year).
In the below architecture example, the Parent company is the Hub. For example, subsidiaries A, B, and X are grouped Spokes under the US Region, while subsidiaries C, D, and Y are grouped Spokes under the APAC region, and so on. The parent company can then publish down corporate policies, for example, to each subsidiary group to ensure adherence while empowering the subsidiaries to operate their GRC programs separately from one another and mature at their own pace otherwise. In this grouping model, the Parent company can also publish US-specific policies, for example, to all subsidiaries in the US region.
Healthcare organization managing multiple hospitals
With Hub & Spoke, a healthcare provider with multiple entities or divisions, in various locations or all in one, can allocate a 'Super Administrator' with full view and access management. Essentially, each entity or division becomes a categorized 'Spoke' within the top view portfolio.
In this example, the Healthcare Headquarters operates as the Hub and categorized its spokes by General Care, Emergency/Urgent Care, and Specialist Care, with different locations and units within each operating as Spoke. Hospitals A, B, and X are in the General Care group, for example. This empowers each location to manage its assets, risks, and HIPAA compliance, for example, separately from one another while maintaining visibility at headquarters.
Technology provider managing multiple ISO 27001 certifications across product lines
The 6clicks Hub & Spoke model is key to allowing various business units to capture and manage their respective risk and compliance requirements and still meet the organizational compliance requirements. As well as reduce the number of tools and techniques used to document and manage each ISMS. In Hub & Spoke, 6clicks allows business units to autonomously maintain their specific business needs while allowing the organization to enforce compliance requirements from a global perspective and gives the birds-eye view of each business line’s compliance levels.
In the depiction below, the Corporate Org is the Hub managing multiple products, each with its own ISO 27001 certification and ISMS needs. Product 1, Product 2, and Product 3 through Product X are individual Spokes in this architecture and the Corporate Org has not employed any Spoke grouping. In this example, the Corporate Org at the Hub level has visibility into the required corporate risks and overall compliance levels while leaving the management of each ISMS to the respective product line resources and teams.
Manage service provider delivering across multiple clients and service lines
In this example, the MSP offers three service lines: ISO 27001 readiness, Vendor Management as a Service, and vCISO services. The MSP can share its content with one or more clients based on what services have been contracted. The partner can create their proprietary vendor assessment template, for example, at the Hub level and share it with all the clients who contract Vendor Management aaS through the partner.
In this model, each client operates in their own Spoke with the partner delivering the contracted services. The Managed Service Provider is the Hub-level account. Client A, B, and X have all contracted ISO 27001 readiness services and thus have been categorized into the ISO 27001 Readiness Spoke group. Clients can also be grouped into one or more service lines based on their agreement with the partner. For example, while clients A and B have been grouped into ISO 27001 Readiness, they have also purchased vCISO services through the MSP. Therefore, you’ll see they are categorized under the “vCISO Services” Spoke group in the architecture example below.
The above represents just a sample of use cases where 6clicks can help organizations successfully run a distributed GRC model. If you'd like to learn more then head here to chat with our team.