Interview with Shirjeel Fahid, Legal Analyst
As part of our Expert Insight series, we speak to Cognosec’s Legal Analyst, Shirjeel Fahid, who explains the importance of Governance, Risk and Compliance (GRC) for businesses of all sizes. He also highlights common GRC challenges facing organizations today.
Could you tell me a little about your role at Cognosec?
My official title is Legal Analyst, but the role covers the whole gamut of legal duties, including contract review, drafting templates, carrying out research and analysis, as well as the essential task of coordinating and communicating with relevant personnel both within the company and externally. In addition, I am responsible for keeping abreast of the latest developments within the cybersecurity industry and particularly the legal ramifications of any such developments.
Could you briefly explain what Governance, Risk and Compliance is and how its implementation is essential to organizations of all sizes?
Governance, Risk and Compliance (GRC) essentially refers to the running of an organization. The three terms are interconnected. Governance refers to how an organization is managed. The management of the organization is instrumental in how it approaches risk, such that any risks associated with the achievements of its business objectives are kept to a minimum. Finally, both the governance of an organization and how it manages risk will necessarily be informed by the requirement to conform with applicable legal and regulatory obligations.
How an organization formulates and implements its approach to GRC is central to both its internal operations, as well as the achievement of its commercial objectives.
GRC will of course be different depending on the size, business sector and ethos of individual organizations, but the common thread is that a coordinated and informed approach to GRC is essential for the success of any enterprise.
What is the danger of not having a sufficient operational risk framework in place?
Aside from the obvious danger of not having appropriate responses in place in case of a catastrophic event, such as an organization’s systems being hacked and sensitive data being stolen, there is the wider issue that an insufficient operational risk framework is symptomatic of deeper issues, illustrative as it is of an organization that does not have a coordinated approach to its business.
A good risk framework should provide the means through which an organization’s departments can work together to identify, assess and rectify any risk situation, and this necessitates legal, financial, technical and other teams to know where they fit within the framework.
The International Organisation for Standardisation (ISO) states that a key principle of risk management is the requirement to create value. Consequently, to ensure that appropriate resources and expertise are expended in the most cost-efficient way possible, it is essential to have a robust risk framework in place.
Ultimately a poor risk framework is symptomatic of an organization that lacks a unified, coordinated business approach: a short-term consequence of this could be the failure to identify threats and deal leading to financial and legal ramifications, as well as the longer-term issue of a lack of profitability resultant from an organization’s poor approach to, and understanding of, risk.
What are the common GRC challenges facing organizations today?
The main GRC challenge facing organizations is the fact that technological and regulatory requirements move at a faster pace than many organizations can adapt. Any such changes must be implemented within an organization’s governance framework, which informs its risk policy, which is in turn informed by compliance requirements. Depending on the size and scale of these technological advancements or regulatory changes, an organization may have to significantly alter how it does business and thereby, its GRC provisions.
As an example of a GRC challenge from both a legislative and technological perspective is the forthcoming General Data Protection Regulation (GDPR).
GDPR will have a significant impact on organizations’ data processing and related activities, and will affect both EU-established data controllers and processors, and non-EU established organizations that offer goods/services to EU data subjects or monitor their activities.
The increased scope will have broad implications: for example, data processors will now be directly subject to EU data protection law. This will particularly affect controllers who outsource their data storage to cloud service providers, and any relevant agreements will potentially need to be redrafted.
How can Cognosec help with an organizations GRC?
Cognosec recognises that a coordinated approach to GRC is essential and that a sound knowledge of regulatory and technical requirements must be combined with the ability to deliver appropriate services that ensure maximum protection for organizations from a GRC perspective.
Cognosec are able to offer a holistic solution, from an initial overview of an organization’s existing GRC framework through to drafting the necessary documentation and providing any and all relevant services and products, combining cyber security industry technical knowledge with specialist legal advice.
Cognosec’s focus is on the provision of an all-in-one GRC service that maximises an organization’s commercial objectives while ensuring that it is fully compliant and protected from any and all potential threats.
The combination and quality of the services we offer ensures that organizations can move forward confident that their GRC needs have been comprehensively and decisively met.