Skip to content

Right sizing your GRC program

Dr. Heather Buker |

September 28, 2021
Right sizing your GRC program


Because of all the changes we are living through - the velocity of regulatory changes, a global pandemic, and no end in sight of cyber events - there’s a heightened awareness of the need for GRC.

Organizations are beginning to realize that it’s no longer sufficient to have a few policies on a napkin and maybe a risk register in a spreadsheet. This realization has led to more and more companies maturing and building out comprehensive GRC programs.

While we love to see it, it’s important to ensure your GRC program is aligned with both your short and long-term goals.

Hence, right-sizing.

How do organizations right size?

Organizations can tackle right sizing in several ways, some of which include:

  • Be selective - No, you can’t ignore your regulatory obligations and firm requirements. BUT you can choose what framework you overlay for best practices to build upon. Be selective. Start with a derivative of an industry best practice, ISO 27001 for example, and go from there. Start with a subset, make it successful, and then add to it when your program is ready to continue maturing.

  • Intertwine data - Create linkages to inform your data. Cross-reference your policies to each other for efficiency. A lot of the policies tucked away on your share drive have overlapping requirements to each other and to the regulations you must comply with. Why not link all policy statements and controls together to make reviewing and updating easier? A solution like 6clicks can help you with those cross references and linkages.

  • Continuously review and improve - Annual reviews locked in? Fantastic. Now start reviewing every quarter, then every month, and then any time your compliance requirements change. The more your organization prioritizes small, iterative review cycles, the less cumbersome changes will be and the quicker you’ll be ready to mature to the next size.

Where are the struggles?

Even an immature company likely has work that has already started but that work is often overlooked. As such, it’s important that a practitioner take a comprehensive assessment of their organization prior to laying the foundation of the program.

Make it a point to understand what data and controls are already being managed and identify gaps. This can be completed in doses using the selective framework and control set approach previously outlined.

Also, don’t bite off more than you can chew. Rome wasn’t built in a day.

A phased approach to right-sizing is more manageable and affords greater success.

What if you’re wearing the wrong size?

Organizations whose GRC program britches are a little too tight can suffer major consequences. The greatest, and most obvious, implication is the cost of realizing a risk - which could have been avoided if their program was right-sized.

Recent research shows that 61% of survey respondents had experienced at least one compliance violation in the past 3 years, which cost anywhere from $100k - $20M for a single incident.

Read that again.

Up to $20M for a violation that could have been avoided. Prevention is the best GRC medicine. The cost of a realized risk is far greater than the cost of a right-sized GRC program.

Experts Guide to GRC Software

Why is right-sizing so important?

Aside from the possible implications previously discussed, organizations can reap many benefits of maintaining the right size, including:

  • Better, more informed decision-making based on empirical data across the GRC program (hint: use a GRC platform, like 6clicks, to have this data at your fingertips)

  • Increased transparency across the organization

  • Builds a culture of collaboration and aligns the different teams within the organization that all play a role in a comprehensive GRC program.

Don’t be afraid to ask for outside help. There are so many consultants, advisors, and Managed Service Providers who have a wealth of right-sizing knowledge with proven techniques across hundreds of clients. Their job is to help organizations find efficiencies and avoid landmines. Use ‘em!

How can 6clicks help?

Leverage your first-mover advantage with a renewed approach towards governance, risk, and compliance.  Download this free eBook that explains the Paradigm Shift in Modern Governance, Risk & Compliance.

Need help right-sizing your GRC program or don’t know where to begin? We got your back! 

How about a whistle-stop tour with one of our 6clicks maestros? Easy, just click the button below and let the good times roll.

All we want to do, every day, is make the world of GRC easier to manage. We can't do that without you, so we hope to hear from you real soon!

Get started with 6clicks


Dr. Heather Buker

Written by Dr. Heather Buker

Heather has been a technical SME in the cybersecurity field her entire career from developing cybersecurity software to consulting, service delivery, architecting, and product management across most industry verticals. An engineer by trade, Heather specializes in translating business needs and facilitating solutions to complex cyber and GRC use cases with technology. Heather has a Bachelors in Computer Engineering, Masters in Engineering Management, and a Doctorate in Information Technology with a specialization in information assurance and cybersecurity.