Governance, Risk, & Compliance Function
Managing risk and compliance is an integral part of the development and delivery of Digital Products. The Governance, Risk, & Compliance function ensures that security, risk, and compliance are fully embedded into the digital delivery network, including all involved parties and vendors. The ability to identify and manage risk in an increasingly complex digital environment has become a key priority in organizations. Organizations need to understand the variables that affect their business, so describing, classifying, managing, and mitigating risk factors is very important. Key concepts in this context are “Secure by Design” and “Compliant by Design” (including “Privacy by Design”). This Supporting Function needs to be integrated with the enterprise-wide Risk Management function. It includes the relationships with functions like internal audit, compliance, risk, legal, and finance.
The Governance, Risk, & Compliance function ensures the transparency and traceability of the risks and compliance information related to the Digital Product delivery. It is tightly linked to the Policy functional component where the Policies and related control requirements are maintained.
Examples of activities within this function are:
-
Define risk assessment methods
-
Maintain a risk register (and related mitigation plans and requirements)
-
Perform risk assessments to identify potential risks associated with Digital Products (and their releases and deployments)
-
Assess the risks of vendors in the ecosystem (vendor Risk Management)
-
Define and ensure mitigation plans and actions are implemented to reduce risks
-
Monitor and ensure products are developed according to defined policies and security requirements
-
Continuous monitoring and evaluation of compliance and managing deviations/exceptions
-
Audit management – perform audits to identify issues, exceptions, and determine improvement opportunities
Examples of information managed by this function are:
-
Risk assessments, such as those related to BIA, TVA, and DPA
-
Risks (associated with the Digital Products, Product Release, or Actual Product Instances)
-
Vendor risks
-
IT audits and audit findings
-
Compliance evidence and compliance-related exceptions/issues
-
Risk issues (actual occurrence of a risk item)
Examples of key relationships with other functional components are, for example:
-
Policy: to understand the Policies and control Requirements
-
Product Portfolio: to perform the risk assessments against the Digital Products (and associated Product Releases)
-
Requirements and Product Design: to ensure products are developed Secure by Design and Compliant by Design (e.g., Privacy by Design)
-
Portfolio Backlog and Product Backlog: to add backlog items needed to resolve risk-related issues, audit findings, and non-compliance records
-
Incident and Problem: to ensure risk issues/findings or compliance exceptions are handled by Incident and/or Problem Management
-
Test: to ensure that risk and compliance is part of the test execution
-
Sourcing & Vendor Management function: to manage the risk and compliance of vendors in the digital ecosystem
-
Workforce Management function: to ensure all employees are aware of the security, risk, and compliance requirements
-
Intelligence & Reporting function: reporting and data analytics related to risk and compliance