governance risk compliance

Where does Microsoft Purview fit into the GRC landscape?

GRC integrates the three pillars of governance, risk management and regulatory compliance to create a unified, structured, and centralised strategy for enterprise risk management.

The three pillars of GRC

Governance

Governance is the way an organization manages its operations through a set of rules, practices, and processes. Many governance activities are based on external requirements, responsibilities and expectations. It also establishes a structure for achieving a company's goals and covers most management aspects, from action plans and internal controls to performance measurement and corporate disclosure.

Risk management

Risk management focusses on identifying, analysing, and addressing or mitigating internal and external threats and risks to a business. Those could include everything from cybersecurity threats to human error to natural disasters. Risk management responsibilities often fall across multiple departments, including IT, business, risk/compliance, and finance.

Compliance

Compliance involves ensuring all business processes and activities align with the applicable laws and regulations in order to avoid financial, legal and reputational repercussions. Common examples include data protection regulations (GDPR/POPIA/CCPA etc.) and industry standards (BS/EN/ISO).

Where does Microsoft Purview fit in?

GRC has proven to be a very successful approach to enterprise risk management, helping to clarify and support the achievement of risk management objectives, while simultaneously enhancing decision-making capabilities and improving business performance. It does, however, require collaboration between various stakeholders, including governance, business, IT, compliance and/or risk departments.

This can create challenges, particularly in areas where the lines between team responsibilities become blurred. Data governance is a classic example.

IT teams typically understand the technicalities of the Microsoft environment, its configuration, where the data risks lie, and what tools and capabilities are available to address them. However: IT is not (normally) responsible for formulating – or overseeing and
reporting on – the data governance strategy. This falls to governance/compliance/risk teams, most of which have far less in the way of technical understanding of the tools at hand.

This can easily result in data governance policies that don’t translate well into the available technical controls, leaving potentially dangerous mismatches between policy and implementation.

This is where Microsoft Purview’s consolidated capabilities can be a gamechanger.

Bridging the gaps

Microsoft Purview is a set of solutions that help organisations govern, protect and manage data where(ever) it lives. It’s not a holistic GRC tool and isn’t looking to take on this role. It does, however, have an impressive feature set and well-structured dashboard that can add a lot of value (and overcome a lot of hurdles) for businesses implementing data governance as part of their GRC strategy.

It does this by bridging the gaps between the technical and risk/compliance sides of data governance, facilitating more effective collaboration and eliminating blind spots.

Purview for IT

On the technical side, Microsoft Purview delivers exceptional visibility into the data estate, and offers a comprehensive range of controls to safeguard and manage sensitive data throughout its lifecycle.

Purview for Risk/Compliance

On the risk/compliance side, that same visibility becomes a powerful asset in the identification of data risks; the supervision and realistic adaptation of technical controls in alignment with the latest regulations and certifications; and the monitoring and reporting of ongoing progress.

Compliance/risk teams access the vast majority of this functionality through Microsoft Purview Compliance Manager. This potent tool is designed to help automatically assess and manage compliance across a multi-cloud environment, dramatically reducing the time, complexity, and workload of managing and monitoring enterprise compliance and risk.

Microsoft Purview Compliance Manager offers:

    • Pre-built assessments for common standards and regulations, as well as custom assessments for unique compliance needs.
    • Consolidated risk assessment workflows.
    • Actionable, step-by-step guidance on high impact improvement actions.
    • A risk-based compliance score to benchmark compliance posture and measure the impact of improvement actions as they are completed.

Who is responsible for rolling out Purview?

The trouble with having something for everyone is that it can be tricky to decide exactly who should be responsible for rolling out Microsoft Purview. The not-so-simple answer is that Purview deployments really need to be a joint effort.

Risk, compliance and business stakeholders need to provide input on the business’ requirements around sensitive data classification and any legal and/or regulatory requirements around retention policies. These feed into the technical controls configured by IT to safeguard and manage the data effectively.

Everyone needs to play their part in understanding and mitigating the risks associated with data. That includes understanding the fundamentals of how the technology works, and the impact policy decisions can have on the business and its users.

Getting to this point can be challenging – particularly when stakeholder engagement is low. If you’re struggling to get everyone in the same room and on the same page, we highly recommend considering the Cloud Essentials Compliance Accelerator Programme.

Get in touch to find out more.

The only way to really know if we’re a good fit is to get in touch, so let’s have a chat! One of our friendly experts will get straight back to you. You never know, this could be the beginning of a great partnership.
Bristol
Cape Town
Johannesburg
Email