Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)

Risk Blog 4: How To Manage Different Regulatory Assessments

Risk Blog 4: How To Manage Different Regulatory Assessments
Written by

Alex Hollis

Published on

30 Oct 2018

Risk Blog 4: How To Manage Different Regulatory Assessments


Written by GRC Practice Director, Alex Hollis


Duplication (Current)


Waste (Current)


Cost (Current)

Different regulatory assessments require you to tick different controls off a list and demonstrate your compliance. And depending on those requirements, the assessment will be performed and completed in different departments within your organization.

The trouble is that often there is overlap in what’s being asked of you. For example, the requirements of ISO27001 (A7.1.1) and PCI (requirement 12) will both ask you to perform the same background checks on your staff. But if these assessments are completed by different functional heads, you won’t necessarily know that the checks have been performed, which leads to duplicated effort (and an annoyed HR department, whose workload is being added to unnecessarily). According to experts, duplication rates of up to 30% are not uncommon for companies without data quality initiatives in place.

The problem only intensifies for organizations with strict backup policies, which store greater volumes of data. Here the figure is estimated to be as high as 80% of all corporate data being duplicated.

Back to basics

Helping over 450 organizations with their Governance, Risk, and Compliance (GRC) requirements, we’ve seen our fair share of unnecessary complexity. Organizations evolve organically, and people satisfy what’s being asked of them in the best way they know how. But it’s rare that anyone ever stops to look at their business in its entirety, considering the interdependencies and areas where efficiency gains could be made.

With Governance, Risk and Compliance, you have to take that step back to consider the control frameworks you need to define. If you look down on your whole business, suddenly you have that oversight to say that control 1 (e.g., staff background checks), satisfies the regulatory requirements within A, B and C (e.g. ISO27001, PCI, and GDPR). With that oversight, now you know how to streamline your operations and boost your efficiency.

Build it and they will come

Most organizations try to ensure their compliance with technology; they need to be ISO compliant so, they use system A; they need to be PCI compliant, so they use system B; now they need to be GDPR compliant, so they use system C.

But now you have three separate systems that essentially do the same thing – they each solve a different flavor of the same compliance problem. And purchasing three separate systems, with the associated implementation, training and maintenance, you’ve duplicated (and therefore wasted) time, effort, resource, and money.

Where did you go wrong?

As your organization evolved organically over time, each business function looked at the risks in isolation. It caused you to constantly add new controls to mitigate each risk. But what you couldn’t see was that many of these controls were unnecessary, costly, and ultimately tied your business down. Without this oversight, your personnel are constantly asking for the same information, which disrupts ‘business-as-usual’ activity, generates friction within your organization and slows it down.

In addition, operating with this blinkered approach to mitigate every risk and ticking it off the list, means you’ve lost sight of the bigger picture – do you even need the control in the first place? Every organization and different departments within each organization possess a different risk appetite. Therefore, with every control, you need to assess and decide whether the level of risk that’s being mitigated is sufficient to warrant the investment in that control.

Stop the madness

To avoid this costly duplication, you need to be prepared to stop and take stock of the situation. You need to look down on everything that’s required of your organization and commit to a framework that satisfies all the requirements – and sometimes make the tough/unpopular calls not to implement certain controls.

Stop looking at your Risks in isolation

On November 27th I hosted a webinar dedicated to helping you better understand integrated risk management and how to implement a framework that matches your organization’s risk appetite. If you were unable to attend on the day, you can view it on-demand through BrightTALK now.

Alternatively, if you have a specific question about your risk management framework, you can contact my team directly through 

Have you read our previous blog in this series? Find it here.