Building a mature, sophisticated governance, risk, and compliance (GRC) program is a bit like baking a layer cake. It takes a little extra time and work to prepare each progressive layer, but when it’s complete, it’s pretty darn impressive.
Mike Santos has assembled quite the risk management layer cake at global law firm Cooley, where he’s the Director of Security and Information Governance.
Santos’ experience in risk management has its roots in an institution known worldwide for handling, preventing, and mitigating all sorts of high-stakes risk: the United States Navy. Post-service, he transitioned to the IT risk world to work with Cooley.
He soon found himself working in cybersecurity—an emerging field at the time that’s now top-of-mind for every organizational leader. There, he developed a maturity model for taking any GRC program from a reactive, ad-hoc state to an efficient, automated, and holistic process.
Santos’ model has five layers, each building on the last. Here it is:
Layer 1: Taking risk as it comes
The model’s first layer is the state that any organization that hasn’t put the resources or effort into building a true GRC program is likely to find itself in. This is where your risk program is operating by the seat of its pants, responding in real time to risks as they arise.
“This is where you’re just winging it,” Santos said. “Something happened yesterday or something is coming tomorrow, and you have to figure it out today.”
This is, for obvious reasons, not a particularly good way