author photo
By Nahla Davies
Fri | Nov 24, 2023 | 8:00 AM PST

Stringent policies and procedures have long dominated the drive behind many organizations' Governance, Risk, and Compliance (GRC) programs. Yet, time and time again, this policy-first mindset proves to be inadequate and can often overlook the essential human factor that exists within organizations. 

Human-centric GRC frameworks help introduce a general shift in focus that emphasizes the greater role of organizational culture and its overall influence on a company’s security and compliance. Today, we're going to take a good, hard look at this progressive approach, which involves integrating the human aspect of operations directly into the heart of effective GRC strategies. 

We'll look at how businesses that adopt a human-centric GRC framework not only navigate compliance more effectively but also build a stronger, more resilient organizational ethos where every individual actively participates in the greater context of governance and risk management.

The importance of creating a human-centric GRC culture

Looking at different GRC frameworks, it quickly becomes clear that they are designed to help organizations elevate their compliance levels, enhance company risk management, and ultimately help drive better overall governance. 

Likewise, having a strong organizational culture means taking care of every single detail related to the software that’s used. Whether it's pitting a free VPN vs a paid VPN or choosing a specialized IIoT integration option, the concept is the same—every link in the chain is there with safety as its purpose—everything else is secondary.

However, without a conducive organizational culture, the impact of GRC programs can be significantly muted. While some businesses report only marginal improvements after implementing GRC frameworks, others undergo complete transformations. This disparity is often rooted in the organization's overall culture and its receptiveness to change.

Preventing insider threats

Let’s use an example to highlight the benefits of human-centric GRC. Accenture, a global professional services company that handles sensitive data from sources like governments, healthcare providers, and financial service companies is a pioneer in reducing insider threats by utilizing this approach.

The core of Accenture's strategy is the recognition that insider threats are not just a technology issue but a human one. The company understands that employees can become threats due to various reasons, such as personal grievances, financial pressures, or even unintentional actions.

Accenture employs sophisticated behavioral analytics to monitor employee activities and detect anomalies. This system is designed to identify patterns that may indicate a potential threat, such as unusual access requests or data transfers. However, the company is careful to balance security with privacy, ensuring that monitoring is conducted ethically and respectfully.

Fostering a culture of security 

Deloitte, one of the leading global providers of audit and assurance, consulting, financial advisory, and risk advisory services provides a well-rounded blueprint for how a human-centric GRC approach can beget a security-focused culture within a business.

Apart from comprehensive employee training and continuous education, Deloitte has established a Cyber Intelligence Center that operates round-the-clock. This center is not just a hub for monitoring and responding to threats but also serves as a resource for educating employees about the latest in cybersecurity.

The company also conducts regular ethical hacking and red teaming exercies to test its defenses. These exercises are also educational tools, offering hands-on experiences in understanding potential security pitfalls, while also being accompanied by highly realistic data breach response simulations.

The potential drawbacks of human-centric GRC culture

A human-centric approach to GRC offers numerous benefits, including enhanced engagement, improved risk management, and a culture of compliance. 

However, like any strategy, it is not without potential drawbacks. Recognizing these challenges is essential for organizations looking to balance human elements with the technical aspects of GRC.

Subjectivity and Inconsistency

Human-centric GRC places significant emphasis on individual judgment and behavior, leading to subjectivity and inconsistency in how policies and procedures are interpreted and applied. Employees may have varying perspectives on risk and compliance, which can potentially lead to a lack of uniformity in the organization's GRC efforts.

Resistance to Change

Employees may resist the shift to a human-centric model, particularly if they are accustomed to a more traditional, policy-driven approach. Changing long-standing practices and behaviors can be a slow and difficult process, requiring substantial change management efforts. It's by far one of the biggest challenges when setting up a new GRC culture.

Over-Reliance on Cultural Fit

A strong emphasis on cultural fit within a human-centric GRC framework may inadvertently exclude individuals who could bring in valuable, diverse perspectives and skills. This could potentially create an echo chamber where only certain viewpoints are valued, leading to blind spots in identifying and managing risks.

Training and Development Demands

Implementing a human-centric GRC program requires considerable investment in training and development to ensure that all employees have the knowledge and skills necessary to fulfill their roles effectively. This can be costly and time-consuming, and there’s always a risk that these kinds of investments may not yield the expected returns you’re looking for.

Vulnerability to Human Error

While a human-centric approach seeks to mitigate risks by harnessing the collective vigilance of employees, it also opens up the possibility of human error. Different mistakes made by employees, whether they’re accidental or due to lack of understanding, can lead to compliance breaches and security risks.

Dependence on Employee Engagement

The effectiveness of a human-centric GRC program hinges on high levels of employee engagement. If employees are not fully invested in the culture of compliance, their input is inconsequential or even detrimental, and the entire program can suffer. Maintaining constant engagement requires effort and resources, which can be a significant challenge for any organization.

Losing Current Workflow Familiarity

Adopting a human-centric GRC approach can disrupt established workflows, as it often necessitates forgoing familiar processes and tools, especially if most of the processes are manual or hinged upon particular platforms.

Organizations dealing with sensitive data, in particular, may need to abandon mainstream enterprise solutions in favor of custom, integrated systems for tasks like document editing and database management. This transition can be challenging, but the outcome is the same as when embracing automation–benefits are only visible once the transition is fully complete.

Scalability Issues

Human-centric approaches can often be difficult to scale, especially in large or rapidly growing organizations. As the size of the workforce increases, maintaining a consistent culture and ensuring that all employees are equally informed and engaged becomes more challenging.

Wrapping Up

Adopting a human-centric approach to GRC offers a promising avenue for organizations of all sizes by prioritizing the underlying organizational culture and the individual behaviors that effectively underpin successful compliance and risk management efforts. 

Yet, as we’ve seen above, the shift towards human-centric GRC is not without its own respective challenges. 

From the risk of subjectivity to the demands of continuous employee engagement, organizations must navigate a vast array of complexities to realize the full potential of this approach. It requires a delicate balance between embracing the nuances of human behavior and maintaining the rigor of compliance and risk management practices.