New regulations such as NIS2 and DORA often address the same underlying risks. A common structure makes it possible to reduce duplication and strengthen governance in information security. That is the view of Christopher Läns, GRC Expert at Stratsys.
The demands on governance and risk management are increasing at the same time as the number of regulatory frameworks grows. For many organisations, this results in parallel structures with different responsible functions, processes and tools.
Christopher Läns works with GRC and information security matters at Stratsys. He sees a clear pattern in how organisations are dealing with this development.
‘The risk is that organisations build up parallel tracks to manage different regulatory frameworks. This often happens gradually, as new requirements are introduced. The consequence is that the work becomes more complex and that it becomes harder to create a consolidated view of risk and control,’ says Christopher.
Christopher Läns, GRC Expert at Stratsys
Parallel controls are inefficient
Risks linked to IT and suppliers are examples of issues that recur across several regulatory frameworks. A requirement for incident management in one framework is matched by similar requirements in another. Other recurring themes include data protection and continuity.
When requirements are broken down and implemented separately, the organisation builds up parallel controls in different systems and across different functions. The result is additional layers of work around the same issue. Christopher argues that this leads to inefficiency:
“The consequence is that you create several controls which in practice do the same thing, but are followed up separately. This creates both duplication and a lack of clarity about what is actually important,“ says Christopher.
Duplication and increased strain
When the same information is requested in several different contexts, this also affects the organisation as a whole. The burden on the business increases through repeated questions and expectations to provide input for parallel follow-up activities. This not only creates inefficiency, but also affects the quality of the work.
When the focus is on supplying input to multiple processes, there is a risk that the work becomes reactive. Instead of analysing risks and prioritising actions, time is spent responding to requirements.
The result is growing fatigue within the organisation in relation to follow-up and review.
“Many organisations feel that they are constantly subject to some form of review or follow-up. This can lead to risk and control work being perceived as administration rather than as support for the business,“ says Christopher.
Despite more time and increased resources, it becomes difficult to gain a clear picture of the risk situation and what needs to be prioritised. The work loses impact.
Risk and control, not regulatory frameworks
Reversing this development requires a shift in perspective. Instead of starting from the requirement landscape set out in the rulebook, organisations need to look inwards. By starting from the organisation’s risks and controls, the same control can be linked to several regulatory frameworks.
A shared control library becomes a central component. Controls are defined once there and linked to relevant regulatory frameworks. This reduces the need for duplicated work. At its core, this is about a shift in how compliance is viewed.
“Work with a common control structure instead of building the work around each individual regulatory framework. That changes a great deal. It gives you a clearer picture of what you are actually doing. It is not about doing less, but about doing what is already being done in a more connected way,“ says Christopher.
Cross-functional structure
An important aspect concerns how the work is organised. Responsibility for risk, compliance and information security is often distributed across different functions. From a specialist perspective, this may be practical, but it creates challenges when the same issues need to be handled in several parts of the organisation and when you are striving for a shared picture.
The solution is a cross-functional structure in which different functions work from the same model, using shared definitions and coordinated follow-up. In this way, risks, controls and activities can be linked effectively.
“It is not about merging functions, but about getting them to work from the same structure. With a common way of describing risks and controls, it becomes easier to coordinate the work,“ says Christopher.
Contributes to better decisions
Reduced fragmentation does not only lead to more efficient work. When the focus shifts away from simply meeting requirements, it also leads to more considered decisions for the organisation as a whole. This contributes to:
- Better overview. A consolidated picture of risks and controls.
- Less duplication. Fewer repeated requests.
- Less overlap. The same control serving several regulatory frameworks.
- Focus on the right things. Easier prioritisation of critical risks.
- Better decision support. Comparable input that can be used in governance.
The next step in the work
As regulatory frameworks continue to evolve, the overlap between them increases. This strengthens the need for a coherent structure. Managing frameworks separately instead risks reinforcing the problem.
According to Christopher, the next step is a natural one for many organisations:
“My advice is to address your structures rather than invest in more processes or tools. Focus on reducing fragmentation by starting with the structure. By bringing the work together, you reduce complexity at the same time,“ says Christopher.
Governance in practice
For many organisations, the challenge rarely stems from a lack of ambition or willingness, but from how the work is organised. When regulatory frameworks are handled in silos, complexity arises that makes it harder to gain an overview and weakens governance.
By working with a common structure, where risks and controls are connected across regulatory frameworks and functions, fragmentation can be reduced and the impact of the work increased. In practice, this is about simplifying the structure. Only when the work is connected can capacity be fully utilised. That is when governance is turned into action.
.jpg?width=600&height=600&name=iStock-1349030917%20(1).jpg)
