As regulations increase and new tech converges, the governance, risk and compliance (GRC) function is quickly becoming more important to the health, finances and security of enterprises today. However, GRC needs support to do its job well, and that requires support from the top down – which hasn’t always been easy to obtain.
Board members need to understand the value of GRC today, especially amid rising AI adoption, which introduces an organization to new risks faster than ever. In other words, you’ve got to get the board on board.
Increasing regulations and new tech
Organizations today face all sorts of regulations that they must comply with. A major development in the U.S. has been new rules from the Securities and Exchange Commission (SEC) that require publicly traded companies to disclose a cybersecurity incident within four business days or risk fines.
We’re already seeing the SEC crack down. For instance, in May 2024, the Intercontinental Exchange, parent company of NYSE, was fined for failing to disclose a cyber intrusion within the required time frame.
We’re also seeing new and emerging attempts to regulate AI use. In the EU, for example, the AI Act was enacted in May. Late last year in the U.S., the Biden Administration released an Executive Order: Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. The order initiates what the Congressional Research Service referred to as “a government-wide effort to guide responsible artificial intelligence (AI) development and deployment through federal agency leadership, regulation of industry, and engagement with international partners.”
And of course, these are just the latest large government actions. An organization’s industry and location determine all manner of mandates and regulations that must be complied with – from GDPR, PCI and DORA to HIPAA and countless others.
While AI regulations are still new, the EU’s rules are likely to serve as a framework for other countries. And in the U.S., individual states have already begun developing new legislation. As companies rush to adopt AI into their information technology footprint, it’s important to understand not just the existing regulations but also those in the pipeline.
The role of GRC and winning hearts and minds
The GRC function performs the due diligence to help ensure businesses are meeting all the various regulations and compliance mandates to which they’re subject. From driving policies and standards to overseeing risk register to inform decisions, GRC is the gatekeeper of compliance requirements.
Compliance is far from being seen as exciting and glamorous. Corporate leaders can often perceive it as a nuisance; they see it as getting in the way of business, but the reality today is that it’s extremely important to the business. In fact, it can even become a business enabler.
For this to happen, though, GRC needs board-level support to do its job well – and that can be easier said than done. One challenge, especially when it comes to cybersecurity and AI regulations, is that not all boards are savvy when it comes to technology and security. While awareness is growing, a report from September 2023 found that just 12% of S&P 500 companies had a board director with relevant cyber credentials. Getting the right information from the right places is another ongoing challenge.
Getting the board to care
One key factor is supporting the CISO and their peers who interact with the board to help bridge the gap between the GRC function and the board, to help the latter understand the former’s importance and value. Education is key. The board needs to understand its role and what’s expected of directors when there is, for instance, a breach that requires disclosure.
Companies are becoming more advanced in terms of how they collect and report on compliance metrics, which is a great step forward. But there’s a lot of information that needs to be prioritized. Information needs to be presented in a way that is simple, relevant and comprehensive without being overwhelming.
The board needs to ask questions to ensure they understand the risks that the organization needs to focus on and the real impact on the business if an incident occurs. It comes down to giving them the information they need to understand risk in an accessible way with a holistic view. GRC leads can help provide that risk quantification.
Five best practices for getting the board on board with GRC
Use these best practices to help board members work most effectively with the GRC team:
- Inform board members on the risk framework in use to showcase structure and credibility, such as NIST CSF 2.0 or ISO27001. Communicate relevant compliance requirements and their implications in a way that is meaningful to the business.
- Educate board members on the organization’s use of AI, including how and where it’s using AI across the business and the impacts of its use on compliance requirements and monitoring.
- Engage with external experts to conduct independent assessments of the company’s risk profile and provide recommendations.
- Support preparedness based on the standards used through risk assessment and ongoing monitoring, which helps to refine response capabilities.
GRC, security and AI
Successful cyber GRC functions provide consistent data and metrics across all organizational layers, ensuring everyone from operational staff to the board is working with the same information. In other words, GRC can support both strategic oversight and operational management from the same information. This approach provides transparency and adaptability to new regulations and threats.
GRC has always been important, but now AI has entered the regulatory picture. It’s changing the threat landscape, the operating model, the products and the services. Boards need to become savvier when it comes to cybersecurity and AI, especially specifics around how the company is using AI. Using the best practices discussed above, GRC leads have the opportunity to build the board’s knowledge of these topics in ways that can have lasting positive impacts on an organization’s security and compliance posture.