Skip to content

The GRC Engineering Cheat Sheet

Legacy GRC vs. GRC Engineering in practice

Program Legacy GRC GRC Engineering
All
  • Framework-first focus
  • Threat-informed, systems thinking, design thinking
Governance
  • Policies, standards, procedures
  • Docs =/= control reality
  • Metric-less committees & decisions
  • Annual/semi-annual training (boring)
  • PaC enforces “risk tolerance” (pre-deploy/change)
  • “Autocorrect/reconcile” docs ←→ controls
  • Metrics-focused committees & decisions
  • Real-time behavioral interventions & scientific pedagogy
Risk
  • Qualitative risk analysis (manual)
  • Subjective data & heatmaps
  • Fragmented weaknesses & issues
  • Accountability police
  • Fear, Uncertainty, & Doubt (FUD)
  • TPCM, heavily third-party focused
  • Quantitative risk analysis (automated)
  • Objective data & histograms
  • Holistic risk scenarios (threat + vector + asset + impact)
  • Decision support partners
  • Evidence, Logic, Math, Reason (ELMR >>> FUD)
  • TPRM, balanced third + first-party focus
Compliance
  • Periodic, isolated control monitoring
  • Evidence samples
  • Automated, holistic control monitoring & active testing
  • Evidence populations (full)
Trust &
Assurance
  • Opaque, abstracted annual artifacts
  • RFIs handled via email
  • Transparent, real-time, historical visibility into controls
  • Self-service RFIs & questionnaire completion