In many firms, the equation between Governance, Risk and Compliance around cyber security is becoming heavily weighted towards the G, and GRC functions must adjust as a result, both in terms of internal structures and in terms of interactions with other stakeholders.
Every organisation faces risk, uncertainty and security threats, yet must comply with a host of regulations. GRC helps to manage those issues to keep an organisation on track.
There are many risk management methodologies in existence but it is not uncommon to come across large firms still following today simplistic, dysfunctional or flawed practices, in particular around operational risk management.
The main issue with many of those approaches is that they are plagued by a fundamental theoretical issue, which goes far beyond semantics: There is an abyss between managing “Risk” (broadly defined as “the impact of uncertainty on objectives”) and managing “risks” (events or scenarios that might have an undesirable outcome).