When you open Microsoft Word, Excel, or PowerPoint, what do you see? You see a blank screen representing a sheet of paper, a blank spreadsheet, or a blank presentation. At this point you can either create your own document or open another file. If you're like me, you prefer starting with another file (like a template), and then editing, rather than starting from scratch. I think you'll agree that starting with something that's relevant is much easier.

The goal of having GRC content is to make your job as a compliance/risk professional easier and more effective. How can content help? Let's first level-set to make sure we are on the same page.

What is "Content"?

Content generally refers to the Regulations, best practices, and frameworks that an organization may want to abide by. Common examples include: SOX, HIPAA, PCI, COBiT, NIST, ISO and many others. One such provider of GRC content is the Unified Compliance Framework (UCF), which provides over 400 regulatory documents in a subscription model. The subscription model will save you a tremendous amount of time otherwise spent on continuously looking for new and updated regulations. Each of the regulations has been further broken down into paragraphs, page numbers and sections that identify parts of the authority document that describe things you must do to be compliant.

Additionally, each of the authoritative documents is mapped to a set of controls that need to be implemented to be compliant. Adding up the individual controls that are mapped to each of the authoritative documents yields over 10,000 controls. Luckily for you, these controls are rationalized in the Unified Compliance Framework down to about 2,500 common controls. This allows you to easily identify how one control can satisfy many authority documents.

These controls are your blueprint for creating a compliant organization.

Authority documents and controls are typically the largest part of the content that can be provided by a GRC solution, but it's not the only thing. A Risk Library can help you identify common risks that are inherent in any organization. These risks are hierarchical, reusable and will help you quickly identify common risks so you can focus on identifying more industry-specific risks.

Some vendors also offer additional regulation specific solutions. For example, CA has NERC and FISMA specific solutions. These include the NERC and FISMA regulations, related controls, typical workflows and dashboards/reports that can be used to help satisfy NERC and FISMA audits.

The content is "King," but linking to your environment is "Queen." To get the full benefit of the content you must marry your controls, policies, and your organization structure to the software . And what do I mean by marry the two? Associating the UCF controls and authority documents with your assets, applications, business units, policies and procedures will give you a real-time map, like a GPS, to guide you along your way to becoming compliant -- and staying compliant.

Just imagine, a control fails and you are able to very quickly identify what application is at risk, what regulation is being breached, and what business units are affected. You now have the ability to "govern" your compliance posture and can make decisions based on facts rather than intuition.