Governance, Risk, and Compliance - Why does it matter

As a technology leader, you may have heard of the importance of GRC – Governance, Risk, and Compliance. Traditionally, this topic would sit somewhere else in the business, siloed and disconnected from the technology systems and teams. A GRC professional, or even a team, would be appointed to: 

Indeed, even frameworks like ITIL® or the responsibilities of CISOs and other security-minded technology team members will be required to drive the above, but typically in relation to the technology itself, not necessarily the overall organisation.  

Additionally, many frameworks help GRC Professionals navigate the complexities of getting GRC right and majority of those depend on a collaboration with the technology department. Most recently, from 17th January 2025, financial institutions need to comply with DORA, and the Cyber Resilience Act (CRA) is about to come into force on December 11, 2027. Here are some examples of other GRC frameworks you may be familiar with: 

However, despite these frameworks being well-defined and GRC professionals requesting support, we are not seeing enough collaboration between Technology teams and the GRC specialists.  

Why should connecting your GRC and technology strategies matter? What happens when GRC is not in place, and things go south? Let’s look at a few stories from the past that demonstrate the value of technology and GRC teams working in alignment.  

We can start as far back as the 1800s. Ferdinand de Lesseps, who successfully built the Suez Canal, attempted to construct the Panama Canal in the 1880s. However, the project faced numerous challenges, including landslides, malaria, and yellow fever. The lack of a comprehensive risk management plan led to the loss of approximately 25,000 lives and billions of francs. The project was eventually abandoned, and the United States later completed the canal with a different design and better risk management strategies.  

When GRC and CISO functions operate in silos, risk management becomes fragmented, leading to gaps in identifying and mitigating risks. This can result in vulnerabilities that are not addressed, increasing the likelihood of security breaches. To avoid the Panama Canal situation, technology teams should collaborate with GRC professionals to implement an automated platform to monitor, assess, and act upon any identified risks.  

In 2001, Enron Corporation engaged in fraudulent accounting practices to hide its financial losses, leading to one of the largest corporate bankruptcies in history. The scandal involved the misuse of mark-to-market accounting, special purpose entities, and poor financial reporting. Enron's collapse resulted in severe legal penalties, the dissolution of its accounting firm, Arthur Andersen, and the loss of billions in pensions and stock price. 

Nowadays, it is key for technology leaders to work closely with GRC professionals and understand the regulations the organisation needs to adhere to. Relevant frameworks have to be assessed and introduced, to ensure compliance, auditability, and accountability.  

Xerox faced significant operational inefficiencies in the early 2000s. The company struggled with poor quality control and ineffective communication, which led to financial losses and a damaged reputation. Despite efforts to turn the business around, the lack of operational efficiency hindered their progress. 

When technologists help GRC professionals set up their platform, significant productivity gains can be made through establishing a single source of truth in GRC software, applying automation, and ensuring quality control, visibility, transparency, and communication. An effective ticketing system ensures identified non-compliance or risks do not go unnoticed, avoiding potential financial losses or reputational damage, as in Xerox’s case.  

Kodak is a prime example of poor decision-making. Despite inventing the digital camera, Kodak failed to capitalize on this innovation due to its focus on traditional film products. This decision ultimately led to the company's decline as digital photography became the industry standard. 

It’s easy to become complacent when a company grows, is profitable, and feels well-secured. However, the pace of change has been increasing, and it is unlikely to be this slow again. This brings volatility into the market and additional frameworks to help manage technological advancements. Therefore, technologists and GRC professionals must keep their ears to the ground to ensure their businesses stay relevant and compliant.  

The BP Deepwater Horizon oil spill in 2010 is a significant example of poor reputation management. During the crisis, BP's inadequate response and communication strategy led to severe environmental damage and a tarnished public image. 

Similarly to cyberattacks, it’s not a question of if but when. Therefore, it’s pertinent that technologists work closely with GRC professionals to prepare for various crisis scenarios, just as they would do in Major Incident Management (MIM). This way, they will be better prepared to communicate and respond accordingly (and in collaboration!) during a crisis.  

The 2002 merger between Hewlett-Packard (HP) and Compaq faced numerous challenges, including cultural clashes and integration issues. The merger was intended to create a global powerhouse in the computing industry, but it led to a lack of support across the company and financial losses. The merger's failure highlighted the importance of strategic alignment and effective communication in large-scale corporate integrations. 

Reaching out to GRC before a merger or acquisition happens may not be your first call. However, as many unsuccessful M&As have shown over the years, strategic and governance alignment, understanding of risk, visibility, transparency, and good communication hygiene are key to avoiding any missteps.  

These stories illustrate the critical importance of robust GRC frameworks for managing risks, ensuring compliance, improving operational efficiency, making informed decisions, protecting reputation, and aligning with strategic goals. 

Addressing these issues requires a holistic approach to risk management and fostering collaboration between GRC and CISO teams.  

THE TIME IS NOW!  

Implementing integrated solutions and promoting cross-departmental communication can help mitigate these impacts and enhance the organization's overall risk posture. 

As you may already be aware, at CDW, we can help you implement a GRC platform, establish a communication channel with your GRC teams, prepare you for adherence to frameworks and best practices, and navigate the world of various GRC regulations. Whether you are 50 or 100,000 employees, do not keep putting GRC off. Start today.