Skip to content

Right Sizing Your GRC Program

Dr. Heather Buker Sep 28, 2021
Right Sizing Your GRC Program

Because of all the changes we are living through - the velocity of regulatory changes, a global pandemic, and no end in sight of cyber events - there’s a heightened awareness for the need for GRC.

Organizations are beginning to realize that it’s no longer sufficient to have a few policies on a napkin and maybe a risk register in a spreadsheet. This realization has led to more and more companies maturing and building out comprehensive GRC programs.

While we loooove to see it, it’s important to ensure your GRC program is aligned with both your short and long-term goals.

Hence, right-sizing.


How Do Organizations Right Size?

Organizations can tackle right sizing in several ways, some of which include:

  • Be Selective - No, you can’t ignore your regulatory obligations and firm requirements. BUT you can choose what framework you overlay for best practices to build upon. Be selective. Start with a derivative of an industry best practice, ISO 27001 for example, and go from there. Start with a subset, make it successful, then add to it when your program is ready to continue maturing.

  • Intertwine Data - Create linkages to inform your data. Cross reference your policies to each other for efficiency. A lot of the policies tucked away on your share drive have overlapping requirements to each other and to the regulations you must comply with. Why not link all like policy statements and controls together to make reviewing and updating easier? A solution like 6clicks can help you with those cross references and linkages.

  • Continuously Review and Improve - Annual reviews locked in? Fantastic. Now start reviewing every quarter, then every month, then any time your compliance requirements change. The more your organization prioritizes small, iterative review cycles, the less cumbersome changes will be and the quicker you’ll be ready to mature to the next size.


Where Are the Struggles?

Even an immature company likely has work that has already started but that work is often overlooked. As such, it’s important that a practitioner take a comprehensive assessment of their organization prior to laying the foundation of the program.

Make it a point to understand what data and controls are already being managed and identify gaps. This can be completed in doses using the selective framework and control set approach previously outlined.

Also, don’t bite off more than you can chew. Rome wasn’t built in a day.

A phased approach to right-sizing = more manageable and affords greater success.


What If You’re Wearing the Wrong Size?

Organizations whose GRC program britches are a little too tight can suffer major consequences. The greatest, and most obvious, implication is the cost of realizing a risk - which could have been avoided if their program was right-sized.

Recent research shows that 61% of survey respondents had experienced at least one compliance violation in the past 3 years, which cost anywhere from $100k - $20M for a single incident.

Read that again.

Up to $20M for a violation that could have been avoided. Prevention is the best GRC medicine. The cost of a realized risk is far greater than the cost of a right sized GRC program.


Why Is Right-sizing So Important?

Aside from the possible implications previously discussed, organizations can reap many benefits of maintaining the right size, including:

  • Better, more informed decision making based on empirical data across the GRC program (hint: use a GRC platform, like 6clicks, to have this data at your fingertips)

  • Increased transparency across the organization

  • Builds a culture of collaboration and aligns the different teams within the organization that all play a role in a comprehensive GRC program.

Don’t be afraid to ask for outside help. There are so many consultants, advisors, and Managed Service Providers who have a wealth of right sizing knowledge with proven techniques across hundreds of clients. Their job is to help organizations find efficiencies and avoid landmines. Use ‘em!


How Can 6clicks Help?

Leverage your first mover advantage with a renewed approach towards governance, risk, and complianceDownload this free eBook that explains the Paradigm Shift in Modern Governance, Risk & Compliance.

Need help right-sizing your GRC program or don’t know where to begin? We got your back! 

How about a whistle-stop tour with one of our 6clicks maestros? Easy, just click the button below and let the good times roll.



All we want to do, every day, is make the world of GRC easier to manage. We can't do that without you, so we hope to hear from you real soon!


6-circleTeam 6clicks

Fast, clear, smart, agile. #NoSpreadsheets 🚫


Leave a Comment

Top analysts and customers have spoken.

They genuinely love 6clicks.

"The best cyber GRC platform for businesses and advisors."


"We chose 6clicks not only for our clients, but also our internal use”

Partner | Big 4

"With 6clicks we can simply close deals much faster"

CEO | Startup

6clicks Risk Registers and Reviews

"The 6clicks solution simplifies and strengthens risk, compliance, and control processes across entities and can grow and adapt as the organization changes and evolves."

Michael Rasmussen | GRC 20/20 Research LLC


Why businesses and advisors choose 6clicks

It's faster, easier and more cost effective than any alternative.

6clicks Enterprise Risk Management

Powered by artificial

Experience the magic of Hailey, our artificial intelligence engine for risk and compliance.

What's the best GRC software?

Unique Hub & Spoke architecture

Deploy multiple teams all connected to a hub - perfect for federated, multi-team structures.

Best software for ISO 27001 compliance

Fully integrated
content library

Access 100's of standards, control sets, assessment templates, libraries and playbooks.

Are you ready to experience AI-powered GRC?