A governance, risk and compliance (GRC) strategy needs to begin with a piece of paper and conclude with business interest.

Speaking in a panel debate at the SC Magazine IT Governance, Risk and Compliance (GRC) conference in London, Peter Gibbons, head of IM security at Network Rail said that GRC 'starts on a piece of paper' as it was important to know what it looks like on paper before thinking about what tools are needed. “Get your design work done before you select the processes. GRC is the glue that sticks it together,” he said.

Jitender Arora, senior programme manager for security and risk at GE Capital EMEA, said that a GRC framework should be much broader than overall IT and in a programme, you should create boundaries to determine your strategy as the journey starts with risk appetite and regular awareness around that to make sure boundaries are being set.

He said: “IT security means a generic framework, policy or change management and they are all there because of risk. It is very imporant to be structured on risk appetite; if you decide that a password will be eight to ten characters, think about the amount of money you have to spend on that, so how do you make that decision?

“What is changing? Look at more attacks or evidence of internal frauds because of hacking, and start your journey with a risk appetite. Best practice is generic for world but maybe not best for you and what is relevant for organisation as it comes with a cost. There is nothing like 100 per cent security, but business are pressured with not enough money, so you should define the right set of controls and policies, and decide what level of risk you want to take.”

Alan Rodger, senior analyst at Ovum, said that an understanding of the definition of risk appetite will require a partnership between IT functions and the business. “Every business is different, but different organisations have different risks and who is managing the risk – it could be the CFO, the chief risk officer or the compliance officer, it depends on the industry so who defines who at table and move from there,” he said.

Gibbons said: “The challenge with governance is knowing what you have to do is proving to be a challenge and there is no clear guidance on how they link into business objectives. Trying to get everyone round the table to work towards a clear goal is a challenge, so using a clear language is a good first step.”

Suzanne Rodway, group head of privacy at RBS, agreed that a 'clarity of terminology and determination of what you want to achieve is a good step'.

Rodger said: “GRC isn't a security practise, but it should work with security practises. The best way to implement security management is through GRC as you have an idea of what you want a solution to do.”