As I have mentioned earlier in my blogs on “Cyber attacks – What you cant see can hurt you” , “urgent is Loud and Important is quiet” and “Threats change faster than you can react”, 
organizations are constantly changing and evolving in response to the changing marketplace, customer needs, and threat environment. Organizations realize the value of having Integrated Risk Management Programs. However, …
Integrated Risk Management programs designed to manage Organizational Technology GRC often encounter a Policy to Practice Gap.
These Policy-to-Practice Gaps are due to two main reasons – Organizational Processes, Systems and Technologies Complexity of a GRC Program and, People, Attitudes and their Training.
I will talk about the Human factors in this blog.
GRC is an ongoing activity
In response to this dynamic environment of constantly changing markets, customer needs and threat environment, the GRC program must continuously evolve as well. It’s an ongoing process and needs ongoing monitoring and refinement to remain relevant. This should be reflected in the people are trained to look at GRC programs.
GRC is not a ‘once and done’ activity.
It is quite evident that a “just-in-time compliance” program strategy i.e. responding only to GRC audits or tech security incidents will not be very effective.
People, Attitudes and Training
This constantly evolving nature of GRC response requires that the workforce be kept abreast of evolving needs of such programs and be continually trained on these aspects of their work.
It is important to make sure that teams realize the importance of GRC tasks; they know what is expected of them; and are adequately trained on how to do what is expected of them. Most importantly they should also know how to respond in case something does go wrong. As it inevitably will.
How seriously do people take GRC
As I mentioned in my earlier blog – Urgent is Loud and Important is quiet, GRC activities are often overlooked in favour of other business priorities like product releases, incidents, or a budget crunch, leading to gaps in compliance.
Urgent drowns out the important.
The other challenge to the success of a GRC program is resistance of human beings to change. Employees’ resistance to GRC programs will lead to difficulties with adoption and implementation.
In addition to all this, the effectiveness of controls should be tested continuously, not sporadically, essentially doing an internal audit of the GRC program, so that, gaps are found proactively and not after an incident.
There are many examples where employees played a significant role in incidents where data was compromised. For example, the 2016 Snapchat Insider Data Leak Phishing Case, or the 2020 Twitter Insider Case which was due to weak password issues; or the Cash App Data Leak in 2022.
Do they know what their roles are? What is expected of them?
If the employees do not know what their roles are, and if they lack awareness of risk it can lead to inadequate risk assessment, compliance and mitigation out of ignorance.
Examples abound of incidents that can be attributed to employee actions compromising information assets due to lack of awareness and training. 
In fact, according to this report, lack of employee training is behind 80% of data breaches
In this context, a lot depends on how the GRC programs are set up. The employees should know what is expected of them, how will their performance and effectiveness with respect to the GRC program be measured. Policies should be simple and easy to follow, backed up by clear workflows so that the employees know where to find them or how to follow them. They should not be vague or complicated.
This will improve adoption and “policy-to-practice” gaps.
Determining the effectiveness of GRC activities is essential to demonstrating their value.
Ongoing Training of Employees
GRC professionals are often in short supply, and the ones that are there quite often have gaps in their GRC knowledge because the field of GRC is constantly evolving.
For example, they (and other employees) may not know about evolving regulatory requirements, control frameworks (like ISO 27001, SOC, HIPAA, NIST, GDPR, COBIT), or audit expectations. This needs for them to be continually trained and updated.
As much as the employees need to understand the GRC controls and requirements, they need to understand the technologies in use and the implications of the controls on technologies and vice-versa.
A Collaborative Attitude
As important as it is for employees to know what is expected of them, it is equally important for them to collaborate with others in other departments.
Lack of collaboration across departments e.g. Legal, IT, Finance, InfoSec, DevOps, HR, Operations and Audit results in information gaps, duplicated efforts, and gives an incomplete picture of risks faces.
This, getting a holistic view of risks, is essential for taking better informed decisions.
Commitment of Resources
Has the organization committed adequate time, money, and expertise for Implementing a comprehensive GRC program? An organization needs to invest in skilled personnel,
technology, and operations – all of which requires significant commitment.
This becomes especially challenging, especially in smaller organizations due to the absence of clear quantifiable returns.
A GRC program has more value than benefits.
Vendor and Third-Party Risks
One often hidden area of Risk is the Risk that Vendors pose. It is an increasingly networked world with essential functions like customer support, server hosting and data storage, operational support among others being outsourced to third parties. This means sharing critical and sensitive information assets with them.
As this report finds, third-party vendors are responsible for 41.8% of Fintech data breaches.
Here too, there are many examples where lack of adequate control with a vendor led to information assets getting compromised.
For example Target in 2013 to Equifax in 2017 to more recent ones like MOVE it in 2023, Okta in 2023, and Infosys McCamish in 2024
Therefore, this becomes another essential area of control.
Whew! Reading these last two blogs, the previous one on System and Technology issues- ” Complexity of a GRC program ” to this one on Human Factors leaves me breathless with everything we must do to just keep our operations reasonably safe and secure.
It feels like we must keep running to stay in the same place.
So, how can we get some control over this huge, complex and fast changing issue?
In the words of my favorite Professor K Balakrishnan, ‘Balki’, when you must swallow something the size of an elephant, you do it piece by piece 😊.
I will talk about how I have seen Technology GRC response and Integrated Risk Management Programs evolve over the last few years in my coming blogs.
