Governance, Risk, & Compliance (GRC)

What is GRC?

• Governance, Risk, and Compliance (GRC) is a structured approach to ensure organizations operate responsibly, safely, and in alignment with their goals.

  • Governance: The rules, decision-making, and processes that guide how a company is run. It ensures accountability and alignment with business strategy.

  • Risk Management: Identifying, assessing, and reducing risks that could prevent the company from achieving its objectives (cybersecurity, financial, operational, reputational, etc.).

  • Compliance: Following laws, regulations, standards, and internal policies to avoid fines, legal trouble, or reputational damage.

Why is GRC Important

• To avoid fines and legal penalties.

• To protect the company’s reputation and maintain customer trust.

• To prevent financial losses from risks such as cyberattacks, fraud, or operational failures.

• To ensure business decisions and daily operations align with strategic goals.

Key Building Blocks and Terminology:

• Policy – High-level statement of intent (“what” and “why”). Example: “All company laptops must be encrypted to protect sensitive data.”

• Standard – Mandatory rule that supports a policy. More specific, measurable, and often technical. Example: “Laptops must use AES-256 encryption.”

• Procedure – Step-by-step instructions (“how”) to meet a policy or standard. Example: “To encrypt your laptop, follow these 5 steps in the IT portal.”

• Guideline – Recommended best practices (not mandatory). Provides flexibility. Example: “Employees are encouraged to use password managers.”

• Framework – A structured approach or reference model for managing governance, risk, and compliance. Examples:

  • ISO 27001 – Information security management.

  • NIST Cybersecurity Framework – Cyber risk management.

  • COBIT – IT governance.

  • COSO – Enterprise risk management.

• Risk – The chance that something goes wrong, measured by likelihood (how likely it is) and impact (how severe it would be). Risk management involves:

  • Identify – What could go wrong?

  • Assess – How likely and how bad?

  • Mitigate – What controls reduce the risk?

  • Monitor – Is it still under control?

How it all fits together:

• Governance defines policies and standards.

• Risk Management identifies and prioritizes risks, deciding which policies and controls are most critical.

• Compliance ensures the organization follows procedures, frameworks, and legal/regulatory requirements.

• Guidelines provide additional advice and flexibility.

• Think of it like a pyramid:

  • Policies set the rules.

  • Standards define the details.

  • Procedures explain how to do it.

  • Guidelines offer extra advice.

GRC in Action (Example)

• Governance: The board requires strong cybersecurity to protect customers.

• Policy: “All employees must use multi-factor authentication (MFA).”

• Standard: “MFA must use a mobile authenticator app, not SMS.”

• Procedure: IT issues instructions on how to set up MFA.

• Guideline: “Employees are encouraged to use password managers.”

• Risk: Without MFA, the company risks account takeovers.

• Framework: The company aligns with the NIST Cybersecurity Framework.

• Compliance: Auditors verify MFA is enforced, and regulators confirm the company meets data protection laws.

SAMA (Saudi Arabian Monetary Authority) and GRC

• The Saudi Arabian Monetary Authority (SAMA) is the central bank of Saudi Arabia. It regulates banks, financial institutions, and companies that deal with money. Any company handling financial transactions or customer financial data must comply with SAMA’s regulations.

Maturity Levels:

• SAMA uses a 6-level model: 0, 1, 2, 3, 4, 5. Each level builds on the previous, you must satisfy earlier levels before claiming a higher one.

• Level 0: Non-existent, No documentation, no controls, no awareness.

• Level 1: Ad-hoc, Controls exist only partially and are applied inconsistently across teams.

• Level 2: Repeatable but informal, Controls are repeatable in practice but not formally defined or approved; limited review/testing.

• Level 3: Structured & formalized (this is SAMA’s required minimum)

  • Controls are defined, approved, implemented.

  • Documentation exists: policies → standards → procedures (the documentation pyramid).

  • Compliance with documentation is monitored.

  • KPIs are defined and reported to show implementation.

  • Example: Board-approved encryption & access policies, standards that say “AES-256, TLS 1.2+”, procedures for onboarding/offboarding employees, and a GRC dashboard showing % of systems compliant.

• Level 4: Managed & measurable, Controls are measured regularly for effectiveness; KRIs/KPIs drive trend reporting and improvements.

• Level 5: Adaptive, Continuous improvement, automation, integration into enterprise risk mgmt, benchmarking against peers.

SAMA CSF

• Chapter 1 — Introduction: scope, applicability, responsibilities.

• Chapter 2 — Framework Structure & Features: principle-based approach, self-assessment & audit rules, maturity model (0–5).

• Chapter 3 — Control domains (this is the heart; four main domains):

  1. Cyber Security Leadership & Governance

     • Subdomains: governance, strategy, policy, roles & responsibilities, awareness, training. (Board oversight, CISO, cyber committee, budgets.)

  2. Cyber Security Risk Management & Compliance

     • Subdomains: risk management, regulatory compliance, reviews, audits. (Alignment with enterprise risk mgmt, risk registers, KRIs.)

  3. Cyber Security Operations & Technology

     • Subdomains: HR security, physical security, asset mgmt, architecture, IAM, application security, change mgmt, infrastructure, cryptography, BYOD, incident/THREAT management, vulnerability mgmt, logging/SIEM, payment/e-banking controls. (All the technical controls.)

  4. Third-Party Cyber Security

     • Subdomains: contract & vendor management, outsourcing, cloud computing and controls for third parties. (Approval rules, outsourcing policy, vendor SLAs, SAMA approval for material outsourcing.)