Charter Engage: Know IT
Welcome to Charter Engage: Know IT, the new podcast series from Charter (www.charter.ca), an award-winning technology solutions integrator established in 1997 in Victoria, BC, Canada. Our mission is to align people, process, and technologies to build better organizations, enhance communication, boost operational performance, and modernize businesses. Leveraging a design thinking methodology and a human-centered approach, our team of experts drives successful business transformation for clients. Charter offers a comprehensive range of IT, OT, and IoT products and professional services, including advisory and consulting, project management, and managed services, providing end-to-end solutions from planning and design to ongoing support and implementation. We extend knowledge and support beyond our clients’ businesses, empowering them to focus on core operations. Charter helps organizations generate new value, drive growth, and unlock opportunities, enabling faster and more effective market entry. Forward, Together with Charter, achieving your potential.
Stay current on the latest cutting-edge strategies and industry-leading practices in IT innovation. Subscribe to Charter Engage: Know IT and let Charter help drive your business outcomes Forward, Together.
Charter Engage: Know IT
Governance Risk and Compliance – Aligning Business Activities to Goals
💭CHARTER ENGAGE: KNOW IT Podcast – Governance Risk and Compliance – Aligning Business Activities to Goals
Welcome to "Governance Risk and Compliance – Aligning Business Activities to Goals" the podcast where we demystify the intricate world of GRC. Whether you're a seasoned professional or just stepping into these critical realms, our goal is to provide you with valuable insights and practical knowledge to help your organization thrive.
In today's episode, we'll embark on a comprehensive exploration of Governance, Risk, and Compliance (GRC). We'll delve into each of these elements to uncover how they contribute to creating a resilient and well-aligned organization, enabling you to navigate the complexities of the business world with confidence.
Hear from our guests, who deal with GRC in the field every day, including Marleen Mavrow, Charter’s Director of Governance, Risk and Compliance; Kegan Adams, our Chief Operating Officer; and Mark George, the Vice President, Business Transformation & Prairies Market Leader, as they discuss GRC Definitions; Why GRC is Essential to Business; How Organizations Deal with Changing Compliance Rules and Risks; Proactive GRC Frameworks; Charter’s GRC Practice; GRC Considerations; GRC and Data; Generative AI; GRC and Cybersecurity; to “Start Small,” and the Differences between GRC and ESG.
Charter’s commitment as an award-winning IT systems integrator in networking, IT, and security products, coupled with our comprehensive professional services, aims to empower organizations to navigate business transformation successfully by aligning people, processes, and technology for enhanced resilience and operational performance. This podcast series, our blogs, and webinars/ seminars are ways that we champion these messages every day. We hope you enjoy this episode of Charter Engage: Know IT!
[Approx. listen time: 37 minutes]
💙Leave a Rating and Review on Apple Podcasts
Let Charter help drive your business outcomes Forward, Together.
Charter Engage: Know IT Podcast –
Governance Risk and Compliance – Aligning Business Activities to Goals
November 22, 2023
[Recorded in Calgary, AB and Vancouver, BC]
Presenters - (in order of Appearance)
Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
Kegan Adams, Charter, Chief Operating Officer
Agenda -
00:07 - Introduction to the GRC podcast
03:42 - GRC Defined
04:55 - Why is GRC Essential?
06:28 - How Organizations Deal with Changing Compliance Rules and Risks
09:20 - Proactive GRC Frameworks
12:58 - Charter’s GRC Practice
17:33 - GRC Considerations
20:30 - GRC and Data
22:36 - Generative AI
26:02 - GRC and Cybersecurity
29:10 - Start Small
31:17 - GRC and ESG
34:09 - Conclusion
Introduction to the GRC Podcast
[00:07] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
Welcome to the latest episode of Charter’s ongoing podcast series called “Charter Engage: Know IT.” [1] I'm your host, Mark George, the Director of Energy, Resources, and Industrial markets.
Today’s discussion is focused on one area that can challenge even the most experienced leaders – Governance, Enterprise risk management, and compliance. This is especially true today, as the markets fluctuate up and down continuously and the rules and regulations continue to evolve. Staying one step ahead requires consistent oversight, cross functional alignment, and an internal risk control environment that's tailored to meet the needs of the organization and evolve the risk landscape over time.
For over 25 years, Charter’s built a very successful business as a reseller of networking, IT, security, and collaboration products and services. Last year, we made the strategic decision to invest and build a much broader Solutions Integration business, including creating specialty Professional Service practices in critical business areas, such as: Application Development; App Modernization; Business Architecture; Cybersecurity; Governance, Risk, and Compliance; and an Augmentation approach to Staffing. To do this, Charter will take responsibility for customers achieving business outcomes leveraging best-in-class technology and a comprehensive portfolio of Professional Services that help to integrate and optimize across the traditional IT and OT infrastructures. To put these comprehensive solutions together, Charter will partner with third parties to help our clients achieve their Digital Transformation and business objectives.
For our regular podcast listeners, you know we spent the last few months in our series exploring topics such as how we work with industry partners to Secure Connected Workers or leveraging Design Thinking to build Business Transformation Roadmaps. But in parallel, we also created a podcast series that highlights the broad range of Advisory Services that Charter offers our clients as part of our Solution Integration business and allows us to feature each of our practice leaders.
Today, we're going to focus on our Governance, Risk, and Compliance business. It's my pleasure to introduce our guests. Kegan Adams, the Chief Operating Officer of Charter and Marlene Mavrow, the Director of Charter’s GRC practice. As you're going to see, both have extensive tech industry experience. But as the leader of our GRC practice, Marlene has over 25 years of IT governance, risk, security, project, and audit experience with global technology companies.
Focused on success through teamwork, collaboration, and stakeholder management, Marlene is a
proven Consulting Services leader with strong analytical and communication abilities. So, let's get started.
Marlene, can you help provide a broader definition of governance, risk management, and compliance?
GRC Defined
[3:42] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
Hi, Mark. I sure can.
So, Governance, Risk, and Compliance – often affectionately known as GRC, is an integrated program. Let's look at each of those elements.
So, governance is ensuring organizational activities are aligned in a way that supports the organizational business goals. So, it’s looking at your policies, procedures, and controls. But, also very important is “How is your organization’s structure? Where are the roles and responsibilities?”
Risk Management. Now, most people look at it as those factors that can put the organization into peril. But risk management is also looking at those factors that could be leveraged for gain.
And compliance. Making sure that organizational activities are operating in a way that meets laws and regulations.
And when you integrate them, and do it effectively, then what GRC is doing. Is it’s bringing your organization resilience.
Why is GRC Essential?
[4:55] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
So, as a follow up, then, why are governance, risk, and compliance essential to the day-to-day operations of an organization? And maybe comment upon “Is it size-related or industry-related?” to, kind of, help educate more of our listeners about the needs of a GRC framework, let me use that word.
[5:21] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
Yup. So, GRC, I think it’s a common misperception that GRC is just for big companies. In fact, every organization, regardless of size or industry can benefit from GRC because it is all about creating a manageable and achievable framework. And every organization today has something they have to comply with. Every organization is collecting data. And that data needs to be protected.
Many organizations, even if they don't have particular laws around cybersecurity, none of them want to be impacted by a cybersecurity event. And if they have, they sure wish they spent some more time on it. So, you have to stand back and ask yourself “So, how are we going to go about that? Are we just going to wait to be hit, or are we going to take more of a proactive approach”? And that’s where GRC comes in. It’s the most efficient path forward to creating a manageable, practical approach towards your Governance, Risk, and Compliance.
How Organizations Deal with Changing Compliance Rules and Risks
[6:28] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
So, obviously, then, it doesn’t matter the size of the organization or the industry. There might be some specific industry regulations or rules, I suspect, in industries such as oil and gas, for instance, where there clearly are some guidelines.
But Kegan, you get the opportunity every day to work across the country. Risk exists in every organization that, I suspect, you work with. If it's not addressed, in other words, the risks, if they're not assessed and evaluated as part of the GRC plan, it will start to significantly or severely impact growth of the organization; the financial status of the organization; perhaps, even, the reputation. So, compliance is critical, but the jurisdictional rules, the regulations, and standards keep changing.
As you work across the country, then, [and] when you engage with a client in a discussion about GRC, and the work that Charter does in the market, how do you advise that a company or an organization stay ahead of the curve - to try and deal with these changing compliance and risks in every organization across the country?
[7:39] Kegan Adams, Charter, Chief Operating Officer
That’s a great question, Mark. I’m going to, maybe, first start with an observation and then follow it up with something that Marleen brought up.
First of all, the observation part. You know, when we think about customer outcomes, you know typically they were done in the past for productivity improvement; revenue driven, or perhaps customer sat[isfaction] driven.
Lots of us used to phrase that as the “Three ups.” Or they would do it, you know, with the intent to drive out some costs in their organization. But what’s been evolving over the last several years is a fifth key driver, which is compliance related. And, you know, one of the things that we observed is “It happened after the fact.” People would, sort of, say, “Oh, my, something happened in my environment,” or “something happened with the data that I store on behalf of my clients. I now need to do X, Y, or Z.”
And one of the things that Marlene called out, which I think we should double down on, is the proactive nature of this. And, how the frameworks that Marlene, and her team, can bring forward that enable forward looking views to provide a sense of where the customer is today and where they need to be for regulatory or compliance reasons, and map out a journey with, I guess, the right word would be milestones along the way - that they can achieve, and not just get the check mark from whatever regulator they need to ensure that they’re meeting their requirements, but for the security of their business and their end clients.
So, Marlene, with that in mind, can we, maybe, talk about that proactive nature and why the frameworks you work help enable that, or that approach for customers?
Proactive GRC Frameworks
[9:20] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
Yeah, good question. So, when you look at cybersecurity, a lot of people are very tactically driven, They’re thinking, “Ok. Well, I'll do this one aspect and I'll be better.” But then - and that might be good.
[9:29] Kegan Adams, Charter, Chief Operating Officer
“That would be the check mark!”
[9:31] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
That would be the check mark.
But, when you look at cybersecurity, and you're taking that approach, you’re taking a very biased approach. You’re putting blinders on, and you have really no idea. “Well, what about other areas? Are you even aware of them?”
So, GRC works really well because they leverage industry standards, such as: Nist; [2] or COBIT; [3] or ISO.[4] And we use those frameworks to, certainly, identify those areas that are operating effectively, and those are great, but more importantly, we identify those areas needing further support.
And from there, we build a program to ensure we operate those things well, that we're doing well, but then really focus on two aspects. First of all, we start addressing those gaps.
And there's always things that you can do immediately. And then the second thing is to build in continuous improvement. And that's so important today because bad actors are continuing to evolve. They continue to fine new ways to exploit you. And that means you do too. You need to continuously improve, and check, and validate that your system has the resilience to withstand them.
Because in today's world, it’s not an “if,” it's a “when.” And I brought a couple of stats that I wanted to share. So, there were 5.5 billion malware attacks that occurred in 2022. Just get your head around that number. And that’s up from one hundred million, from 2021. And it’s going to just continue to occur. A cyberattack is projected to occur every 39 seconds. And it’s not just big companies, nearly ¾ of US small business owners reported a cyberattack in 2022. [5]
So, you can’t get away with it. You can’t hide from it. So, you have to figure out, “How can we withstand it?” And that’s where GRC comes in.
[11:46] Kegan Adams, Charter, Chief Operating Officer
Mark, can I just follow up with one thing that Marlene brought up? You mentioned cybersecurity and you mentioned some of the other – it's multifaceted, it’s multi-pronged. GRC is not one point in time, it's not one particular framework alone. It’s working across.
[12:03] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
It's an integrated approach, absolutely.
[12:05] Kegan Adams, Charter, Chief Operating Officer
And that's one of the things that you’ve helped create within Charter. So, maybe talk about how you work with some of the other practice leads at Charter, and how you all play together in addressing, not just after the fact, but also in helping customers plan.
[12:19] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
So, GRC works really closely with a number of other Charter practices, including our security practice; [6] as well as our Microsoft practice; [7] and our Business Architecture practice, [8] as well. All of these areas have a focus on business objectives. We're not meeting IT objectives. We have to review and align organizational activities to what the business is trying to achieve. “So, when GRC identifies an area of gap, then what we looked at is, “How can we re-architect that area”?
Charter’s GRC Practice
[12:58] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
So, Kegan. The points you made about that GRC are important for companies and organizations of all size; that it's tied to identifying outcomes, business outcomes; that you use the GRC framework to set milestones, identify gaps in the organization, implement some sort of a continuous improvement plan - that ultimately allows you to measure your progress along the way. So, if I've listened to both of you, I think those points are absolutely appropriate as we move into the next part of the discussion. Because, what's evident to me is that all executives know that governance keeps organizations aligned and helps to define the practices, the frameworks, and the controls that are built into their risk management strategies.
Over the last few years, obviously, governance has been broadened to include concepts like ESG [Environmental, Social, and (Corporate) Governance]. [9] (We're going to come to that in a few minutes). But, at the end of the day, Kegan, when Charter built and decided to invest in creating the GRC practice, what were some of the objectives that you had in mind? And, more importantly, why do you think Charter is uniquely qualified to offer GRC Services as part of its Solutions Integration strategy in the marketplace?
[14:37] Kegan Adams, Charter, Chief Operating Officer
Yeah, that’s a great area to pick up on. So, Mark, when we started this discussion, we talked about the first twenty-five years of Charter, which was largely network based, which was largely project services and managed services. It encompassed the scope of services that we would add. Let’s call them “Value Add” to our customers. But by listening closely to our customers over a number of years, we started talking a little bit more about those business outcomes that they were looking for and where they thought Charter could help them.
And GRC happened to be one area. But we knew that it alone was not the breadth of solution or Professional Services that our customers were looking for. So, as Marlene talks about how GRC is proactive; it sets a plan; it provides milestones; it identifies areas of strength of an organization that needs to be recognized [and] fastened up, but it also recognizes areas of weakness, or gaps. And when the customer and Charter work together to build that plan, it became very clear that we needed to engage and create additional practices to round out.
Not only can we provide the advice; not only can we reference frameworks; but we can also be part of the “do.” We can be part of the solution. And we can do that in whole, or in part, and in partnership with the customer.
I recall, oh, it’s probably 18 months ago, Marlene, and I, and Kelly Mitchell, our President at Charter. We’re talking about GRC, and at the same time we were talking about, “Well let's talk about the other practices. We already have a security practice, but let’s evolve it. Let's grow it. Let's add breath. Let's ensure that we can help customers operate safely in the cloud. So, we created a specific cybersecurity practice. We also looked at other areas, like cloud and applications, be that Microsoft, which is a particular area that we focus on, or other cloud-based solutions. We also looked at application development because, whether it's low code, or whether it's no code, or whether its pro code, customers have been asking us, “Can we help them?” Well, App Development has its own GRC requirements, but it is also part of the solution. So, not only do we wrap GRC around the applications that we provide customers, when we look at customers environments and look at the applications that they operate, GRC is critical there as well to ensure that they are providing or operating their applications safely and securely.
But we didn’t stop there, as well. We’ve long had a business architecture-lead approach to the market. And that's where we tie together people, process, and technology. And what that allows us to do is our Business Architects - Wade Crick would be one, but we have a team of others that can get engaged with Marlene and be part of the solution for customers. So, we can design; we can build; we can configure it; and we can operate safe, secure, environments according to the GRC frameworks.
GRC Considerations
[17:33] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
The notion of the interrelationship between the business is really the point that I think we're trying to stress. Because as a customer sets their business outcomes, analyzes, and strategizes about their risk and their compliance, all of these things, kind of, come together. And we're going to end the discussion today looking at cybersecurity, because it's clearly an important component.
But before we get there, Marlene, correct me, but my sense is that GRC is like a GPS navigation system. So, it continuously ensures you're on track; it tries to take into account the most efficient approach possible. If you believe that, what are some of the trends, then, that are going on in GRC today? And, ultimately, as people are doing their three-year plans, and their 5-year plans (which many of them are in the process of approving now, at their fourth quarter board meetings), what are the things that they need to pay attention to that, from a GRC perspective, they need to be aware of, and start to take into account as they do their planning?
[18:48] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
Yeah, thanks for that, Mark.
I really saw there’s, like, two aspects to that question. But first of all, if we're going to do GRC, “What are the benefits? Why are we doing it?” And GRC, you're right, it definitely gives you efficiency. When you align organizational activities to your business objectives, you will definitely gain efficiency. And you're going to reach your goals - your business goals much faster.
But there’s also a ripple effect, a positive ripple effect. First of all, your executives are going to feel a lot better and be able to manageably predict that they're going to reach their goals. But also, your employees. There's a real positive impact to everyone understanding that they're pulling in the same direction and knowing how to do that. Same with your contractors, as well as your partners. So, there's definitely tangible benefits, and then there's that ripple effect that’s really positive.
You’re also able to sustainably manage your risk and ensure activities are compliant. And when you do that, you are breaking down silos; bringing people together; and creating tremendous transparency – which is so important in today's business world. Because when you're doing that, then you're going to start lowering costs, and increase your return on investments. And that, again, there's a ripple effect to that. So, you definitely have a positive impact to your Executives, from that Financial aspect, but also to your board; to your investors; and your customers. You're going to be protecting and leveraging data, which is one of the most important organizational assets that you have.
GRC and Data
[20:30] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
Let me ask you follow-up call just on the data side. In my opinion there's no effective governance or Enterprise risk management strategies that you could implement unless you start to think about, “How do you comprehensively access and use the data that's in your organization today”?
[20:50] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
I’d even go and say, “Do you even know what your data means? Or “Do you know where it’s coming from?” Did you know that the average person generated over 1.7 mega bites of data per second? And that we’re expecting that data will grow between 22 to 24% annually? [10] That's incredible. So, if people don't have a handle on it today, it's going to become like a firehose. It’s going to keep on coming in. And it's important for us, as one of our assets, to understand how we can protect it and leverage it.
[21:28] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
Well, Kegan, you know that our Solutions Integration business looks at the organizations as an Enterprise. And historically, there's been the IT world and the OT world, and a big wall in between. Those walls are disappearing because the executive team needs access to the data, regardless of which part of the organization it comes from.
As you're looking in the market, then, and as you’re building the IoT portion of your business, what are some of the things that Charter’s doing, or maybe some examples of things you're seeing clients do in the market - that they're better leveraging their data, regardless of which side of the organization that comes from? But, more importantly maybe, some that are using the data to transform their business; transform their organization; help them assess their compliance obligations; and, like you said earlier, measure their performance against their transformational objectives.
[22:26] Kegan Adams, Charter, Chief Operating Officer
I definitely see that the majority of the market has evolved from, “Let's just gather the data.” “Let’s put sensors on the OT environment, or the IT environments gather it, store it”. And we’ve moved beyond “Store it.” We've moved into it an era where customers are looking for insights. They're looking for the data to help them drive decision making. They're looking at a data at ways to compliment other traditional ways that they’ve either been planning, or responding to incidents or, potentially, life cycle Management and making other strategic Investments over a period of time.
So, I see us, we’ve moved from gathering, to storing, to providing insights. And that's a particular area that Charter can help customers. But you need to do it. You know, data, we’ll come back to that point. The data needs to be safe; the data needs to be secure; it needs to be clean. And one of the things, that as we evolve to using the data, for decision making; for providing business outcomes - frameworks helps you do that.
[22:32] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
Absolutely. They provide a structured approach for you to follow.
Generative AI
[22:36] Kegan Adams, Charter, Chief Operating Officer
And, you know, one of the things the old customer service says is “Well, AI will help you do it.”
[23:40] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance [
You need to go at it in a very intentional way. And you asked, Mark, earlier, about some of the trends that we’re seeing in GRC. And We would be remiss if we didn’t bring up Generative AI. It is absolutely a game changer, as we’re moving forward. And I think that Generative AI, the story is still being written about how we're going to use it. And I think that we need to do two things. We need to, right away, intentionally direct our customers, and staff about how they're going to use Generative AI. Just, some base protection, so that we're not putting things like our source code into Generative AI with the idea of, “Oh, it will find some of the errors.” And that's not what we want. We don't want customer data going into Generative AI tools. So, putting in some, just clear direction that way.
But, at the same time, we want to encourage our customers to be curious. We want to leverage it. We’ve all seen from Business Architecture that you either transform or you get left behind. You don't want to be the Blockbuster of the past; you don't want to be the codec of the past.
So, I really encourage our clients to form task forces to look at Generative AI. Bring together different stakeholders in the organization; both on the finance side, the legal side, the IT side, but also the operations, maybe the analytics team. Bring them together and get them to have a look at it. Look at proof of concepts, get educated, and take that curious mindset to how you can use this to move your business forward.
[25:18] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
Well, we try to make these sessions as practical as possible. And that advice, the notion of creating this team looks at all dimensions of the business across all the functions and putting together a common framework that allows even a single topic like generative AI which is strategically important to every organization today not just because it's in every newspaper and channel you turn on TV, but, more importantly, is the positive impact with the right strategies and policies and procedures that it can bring to an organization.
GRC and Cybersecurity
[26:02] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
So, I want to touch on a topic that both of you have referred to. But maybe, as we looked to wrap up this podcast, kind of, bring it together. So, one of the foundations that both of you have suggested is that a successful GRC framework is built on a comprehensive cybersecurity strategy or program. now I know Charter has a practice focused on performing cybersecurity assessments, and then doing; building; implementing cybersecurity policies, procedures, and practices.
Marlene, can you tell us a little bit about how you work together with the cybersecurity practice? But, more importantly, if you can provide some sort of a very practical example of how those two worlds collide? And again, we've said earlier, they're clearly interconnected. How does a customer take advantage of the Charter two teams do work closely together in this space?
[27:07] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
I'd like to start by saying it GRC actually provides you an information management program that you can operate from. It's cybersecurity, but it's more than cybersecurity. It's really protecting all of your information and working within an organization from that wholistic standpoint.
But one of the key components is your cybersecurity controls. So, one of the ways that we've been doing at a customer right now, is we’ve been doing an assessment against ISO 27001. And they’ve had an assessment before, but they've left it for a while (and it's been a few years). So, to get them restarted, we recommended to them, “Well, let's see how you're doing today, because you’ve probably taken some steps. And we're doing a couple of things when we do this. We're certainly seeing the rise in maturity. And I think it's really important with an organization for them to recognize that they’ve make good strides.
But then, also identify the gaps. And we’re also looking [at], “Is there a concentration of gaps in certain areas?” And we call that “Concentration Risk”. Because if you're getting a few blind spots in one particular area, that's not just a vulnerability, it’s a collection of vulnerabilities that really could get exploited. So, we want to provide some transparency and oversight into that.
And then, what happens is organizations say to me, “You know, I’d really like to look at different options of how I can address that. What kind of controls are out there?” And that's the way that we collaborate with our security team. And our security team can often come in and give them different examples and approaches that they can take.
So that's one of the ways that we've been working really collaboratively with our cybersecurity team. And so, for this particular customer I'm working with, we're still in the analysis phase, but they have already started talking to us about how we can help with the actual implementations. So, I know I’m going to be tapping our security lead pretty soon and getting her to talk with them as well.
Start Small
[29:10] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
Well, Kegan, one of the themes that you, and Ronnie [Scott, Charter’s CTO], and I have continued to keep as, kind of, a common thread in all the podcast, is “Where do you start”? And, fundamentally, it doesn't matter the size of the organization; the complexity of the organization; but that, at the end of the day, one of the best things to do is start small.
So, it sounds like, as you and Marlene work together in the market, that's the advice that you're giving customers. “Don't try and bite off the whole GRC, challenge as this, kind of, amorphous, big thing. Find some place to start. Find something small that you can put your hands around. Build a framework whether it's tied to some challenged aspect of the business, or a new tool like Generative AI, “Start small and work from there”. Is that what you'd suggest in the GRC space that you'd like to close off today's podcast with?
[30:14] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
There’s definitely a misconception that GRC is this big program and I think, particularly small to medium-sized companies are at risk as anyone else. There’s a misperception that it’s too much for them to take on when, in fact, it actually always will be something that you can take immediate steps with.
GRC isn’t about putting in a behemoth program, it's putting in place a manageable program that is right sized for your organization, based around your business goals. So, we definitely work no matter what size it is. There are always immediate steps you can take. And I think that, in today’s world, where the bad actors are not stopping. In fact, they’re getting craftier. And there’s more of them. And it’s a massive business, out there, so you have to recognize that. And if you want to protect yourself, if you want to build resilience in your business, just start.
GRC and ESG
[31:17] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
So, Marlene, obviously, in the marketplace today, people are learning more about GRC, the definition you provided at the beginning is important. But the other thing that, maybe, adds another dimension to GRC and the work that goes into it, is the whole notion of ESG. Can you help our listeners better understand, maybe, how they relate, or maybe contrast? I’ll leave that up to you to, kind of, help us understand better.
[31:44] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
Sure. Another 3-letter acronym. So, ESG, Is Environmental, Social, and Governance. It is, absolutely, another standard that is out there. But it is more wide, in terms of its application within the organization than GRC. And it has a different focus. Although both are very focused on organizations reaching business goals and objectives, ESG is really focusing on that environmental, and social, but also, governance. So, ensuring organizational activities are aligned. Doing that with respect to the environment. “What is our footprint? Where are we located? What materials are we using?” And “What is the outcome and productivity from our operations? Are we polluting the environment?” And so, ESG is starting to really look at those questions, as well as your resources, your people. “How are you socially engaging with your employees? How are you socially engaging with your customers? What does your organization look like?”
And I know I’m not even asking half the questions that are really out there in terms of ESG. But that has a varied focus, it has a different standard than GRC does. It uses different frameworks. But there is definitely an overlap, an interconnection, on the governance side. So, both are going to be looking at “How can we better ensure that everyone is pulling in the same direction?” So, from GRC, we’re really looking at it from an information security perspective, whereas ESG is looking at it from your environmental and social side.
[33:36] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
Well, Kegan, to your point earlier, it doesn’t matter whether it’s the ESG strategies or the GRC strategies. They’ve got to be done proactively; they’ve got to be done with a framework in mind; you must set some milestones along the way; identify where you have gaps in your organization; and then assign a team from the top of the organization to the bottom to help deal with, not only the definition framework, but, as importantly, those common issues between GRC and ERC are clearly transformational in nature.
Conclusion
[34:09] Kegan Adams, Charter, Chief Operating Officer
That’s a great overview and summary, Mark. And maybe I’ll close by saying the first thing is to understand where the gaps are. The second is to ensure at the customer level, they understand that they do have gaps, and that there’s a desire to improve. And once those things are realized, I just encourage them to call Charter, because we can start with the GRC discussion, and bring in the rest of the practices, as needed. As the scope, as the milestones, as the goals and objectives get defined together, and we work through next steps together.
[34:42] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
So, Marlene, as we get ready to wrap up the podcast, you've shared some amazing insights with our listeners today, including some real-life examples, and [have] given them the comfort that GRC isn't this big hairy beast. That you can put your arms around it, you’ve just got to focus on building this framework; thinking about the parts of your business that you want to start with; and ultimately, bring in Charter to be able to help think your way through that.
So, as we close, are there some last words you’d like to share with our listeners today, or something that you'd like to highlight as we finish our podcast?
[35:25] Marleen Mavrow, Charter, Director of Governance, Risk and Compliance
Thanks, Mark. I definitely want to leave our listeners with the recognition that GRC isn’t a big program. It’s definitely something that is built based on creating a manageable program – even if you’re a small- or a medium-sized company. In fact, we work with a lot of small and medium-sized companies.
And we’ve been brought in to help them with a particular aspect. Maybe they want to just start off with 3rd-party risk management. And I’m working with an organization right now and that’s all we’re addressing. They recognize there was a gap there. And so, we’re working with them to help them close that particular gap.
So, I think that what I would encourage our listeners to do is if there's a small area that you think you need assistance with, that Charter can help you with, but also if you know that you've got areas of weakness (but aren’t sure where they’re at), Charter can also just stand back and work with you to do an overall assessment. And our customers that we've been doing this work with have been extremely happy that they're getting tangible benefits. They're seeing right now better management; better oversight and transparency. And, I think, overall, that this has been exactly the value add that Charter can provide to them.
[36:48] Mark George, Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator
Well, I want to thank Marlene and Keegan for the insights that you've provided to our audience. We hope today’s episode has been valuable, and we thank you for investing the time to tune into our podcast series, “Charter Engage: Know IT”. We wish you a productive day.
….
Presenter Information: (in order of Appearance)
| Mark George Charter, Vice President, Business Transformation & Prairies Market Leader, Moderator | Mark George is a proven business leader with global experience across multiple industries. He currently serves as the Vice President, Business Transformation & Prairies Market Leader for Charter. Prior to that, he worked for five years as Managing Partner and Founder of EdgeMark Capital and Advisory Services Inc., a capital markets and financial advisory services firm. Mark’s in-depth energy markets experience developed through leadership roles with Environmental Refueling Systems Inc. and with PricewaterhouseCoopers. From 2000 to 2010, he served as the Founder and President of the Cielo group of companies, a fully integrated residential and commercial construction and real estate development company in Arizona. Mark has an intense interest in emerging technologies, having spent 15 years with Nortel, Bay Networks, DEC, and Honeywell in progressive sales, management, and executive roles throughout the Americas and Asia Pacific. Mark proudly serves on the boards of several privately held companies and not-for-profit organizations. LinkedIn - https://www.linkedin.com/in/markgeorgepwc/
| Marleen Mavrow Charter, Director of Governance, Risk and Compliance | An IT Governance, Risk, Security, Project and Audit Professional with over 25 years of strategic planning and management success with global technology companies. Focused on success through teamwork, collaboration, and stakeholder management. A proven leader with strong analytical and communications abilities. LinkedIn - https://www.linkedin.com/in/marleen-mavrow-cism-pmp-crisc-590b45a/
| Kegan Adams Charter, Chief Operating Officer | As Chief Operating Officer, Kegan Adams’ primary areas of accountability are to translate the company’s strategy into actionable performance and growth goals and to ensure Charter continues to enhance its high-performance, people-centric, team environment. Kegan’s operational areas of accountability includes project services, including the Company’s project management office, support and maintenance solutions and managed services as well as Charter’s advisory and consulting services which includes: Cloud Managed Networking, the Company’s Clarity offerings which includes adoption, lifecycle and data analytics services, Staff Augmentation in addition to its Business Architecture, Governance, Risk and Compliance, Security practices. LinkedIn - https://www.linkedin.com/in/kegan-adams-009a98/
About Charter
Charter is an award-winning technology solutions integrator established in 1997 in Victoria, BC, Canada. Our mission is to align people, process, and technologies to build better organizations, enhance communication, boost operational performance, and modernize businesses. Leveraging a design thinking methodology and a human-centered approach, our team of experts drives successful business transformation for clients. Charter offers a comprehensive range of IT, OT, and IoT products and professional services, including advisory and consulting, project management, and managed services, providing end-to-end solutions from planning and design to ongoing support and implementation. We extend knowledge and support beyond our clients’ businesses, empowering them to focus on core operations. Charter helps organizations generate new value, drive growth, and unlock opportunities, enabling faster and more effective market entry. Forward, Together with Charter, achieving your potential.
For more information on this podcast or on Charter, please contact:
Dawn van Galen
Marketing Manager
250-412-2517
References –
[1] Charter Engage Podcast. (n.d.). Www.charter.ca. https://www.charter.ca/podcast
[2] NIST. (2023). National Institute of Standards and Technology | NIST. NIST. https://www.nist.gov/
[3] Isaca. (2019). COBIT | Control Objectives for Information Technologies | ISACA. Isaca.org. https://www.isaca.org/resources/cobit
[4] ISO. (2019). ISO - International Organization for Standardization. ISO. https://www.iso.org/home.html
[5] Sobers, R. (2021, April 16). 98 Must-Know Data Breach Statistics for 2021. Www.varonis.com; Varonis. https://www.varonis.com/blog/data-breach-statistics
[6] Security. (n.d.). Www.charter.ca. https://www.charter.ca/advisory-services/security
[7] Microsoft App Modernization. (n.d.). Www.charter.ca. Retrieved July 31, 2024, from https://www.charter.ca/advisory-services/microsoft-app-modernization
[8] Business Architecture. (n.d.). Www.charter.ca. https://www.charter.ca/advisory-services/business-architecture
[9] Government of Canada, C. E. R. (2022, October 14). CER – The Canada Energy Regulator and ESG – Overview of Environmental, Social, and Governance (ESG). Www.cer-Rec.gc.ca. https://www.cer-rec.gc.ca/en/about/publications-reports/canada-energy-regulator-esg/canada-energy-regulator-esg-overview.html
[10] (n.d.). Https://Financialpost.com/Cybersecurity/Average-Data-Breach-Costs-632-Million-Ibm