In my other life, the one that runs parallel to doing Microsoft tech, I own a wonderful MedTech SME. I have board level responsibility for Governance, Risk and Compliance (GRC) and hold the Senior Information Risk Officer role. GRC is a big deal for companies operating within regulated industries. In fact GRC is a big deal for any company operating in any market. I have often ‘joked’, when talking to staff about decisions, that I am the one who gets to go to jail if we get GRC wrong.
GRC is a big deal for companies operating within regulated industries. In fact GRC is a big deal for any company operating in any market.
Meanwhile I am also co-author on the Governance Risk and Compliance Competency, one of nine such documents so far developed as part of the Maturity Model for Microsoft 365 programme of work, and I am actively working on the companion How to Elevate… document, that describes what you might do to at least achieve level 300 (the minimum we consider acceptable for an operational business).
So the sustained development of compliance tools in Microsoft 365, their sensible separation from security recently and the very recent branding of the compliance offerings as Microsoft Purview was worthy of a deeper dive.
Microsoft Purview is “a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software-as-a-service (SaaS) data.” as Microsoft states on their docs site.
It presents as an impressively accomplished compliance portal, accessed from the M365 Admin centre or directly on https://compliance.microsoft.com/ It offers a wide range of compliance tooling, configuration and reporting for your Microsoft 365 content as well as Compliance Manager which aims to provide a structured approach to improving an organisation’s compliance stance, reflected in a single compliance score. The screenshot is my MedTech company’s current position.
I mentioned accomplished. The score is made up of well over 2000 tracked items, classified under:
- Protect information
- Govern information
- Control Access
- Manage Devices
- Protect against threats
- Discover and respond
- Manage internal risks
- Manage compliance
- Privacy Management
Erica Toelle and her team have done a cracking job pulling all this together. I might argue that some of these things feel more like security than GRC (though there is clearly overlap), that a few might be things that they can measure rather than being essential GRC and that many are items that won’t apply to many types of organisation, however that’s to miss the point that this is a potent, wide reaching set of tools that forms a basis for supporting a wider GRC strategy.
3 pillars of GRC
Note that I said support a GRC strategy, not create or operate.
Purview is great, if a little overwhelming at first, but it can only do what it can do. It’s self-evidently tied into the Microsoft stack and not a general GRC tool. It has hooks into most of the corners of Azure & M365, but if you are using AWS or Google etc. solutions you are going to have to approach those without Purview (though the principles established in Purview are going to be very helpful).
As with any tool, Purview can’t do all the job for you. The organisation must wield it in context and with purpose. There must be approaches for the things the tool doesn’t do, which means having the vision and policies that dictate the GRC stance, having staff and associates enabled to work to the GRC rules and having further tooling, resources and processes that address what Purview cannot offer. We have a 3 Pillar model for this more complete approach.
In our case we have created our own Governance Risk and Compliance Centre in Teams/SharePoint. This acts as a hub where each relevant GRC driver (whether a matter of law, regulation, industry or association standards & obligations, plus best practice, organisational principles and agreed ways of working) is described in terms of its background, obligations, purpose and approach. It also contains lists for tracking issues and risks, incidents as well as those defining what content is under management (policies, contracts etc) and the rules and properties to be implemented. We have document libraries and links to policies and relevant documents that exist outside the hub. Our staff Training Records live here, as do our GRC action plans, calendar of events and audits, reports and (when we have it built) an audit tool for each auditable process.
Outside the hub, we also implement version control, approvals and a variety of other measures for our content and communication, as appropriate. We are careful not to govern that which doesn’t require it; it is in the nature of people to stop doing unnecessarily cumbersome processes and thereby break governance, so we use a very light touch where ever we can.
Purview has been helpful in helping us think through some of our policies and develop our management tools and staff engagement, even for things that it does not have direct insights into. We realised that we had not fully implemented a Training Record system, for example. We also discovered that it has a built in tool for GDPR Subject Access Requests (DSRs) so we didn’t have to build that.
There are some omissions that could be easily addressed in future. In this category, it has an Audit function, but that is focused solely on running searches (effectively reports) on platform activity. There is little help to plan, schedule, action and report on Audit activities in general (so we are building that in our portal). Many of the tools are reactive and it doesn’t yet have the holistic management approach the wider organisation needs.
The presence of a Compliance Score is something I have thought a lot about.
The debate is whether there should be a score at all and whether such a score is meaningful.
Single number KPIs (Key Performance Indicators) are always contentious. Helpfully, Compliance Manager displays sub-scores for the 9 classes it defines. It has a sensible algorithm for calculating the score, with Preventative Mandatory actions contributing the most weight (27 points), while Corrective Discretionary items offer just a single point.
The debate is whether there should be a score at all and whether such a score is meaningful. My view is that it has always been difficult to provide useful KPIs for governance etc., so the Purview Score does add value here, just as the similar Secure Score does for security. As long as organisations remember that this is really just the score for the third pillar and develop measures for the other 2 then I contend that it’s justified.
The other debate, as part of my work on the GRC Maturity Model Competency and Elevate documents, is what score organisations should aspire to. If you have stood up M365 you are probably already at 50% or better with even the most basic interventions (“Next, Next, Next”!). I would suggest that 70%+ should be an easily achieved target and is consistent with operating at level 300 on the Maturity scale.
To address the more onerous, remaining ~30%, we have put in place a continuous improvement initiative to work through all the Key improvement actions, implementing any we can do straight away and adding the more challenging ones to an Action Plan. It will take us some months to work through it all and undoubtedly longer to implement everything that we choose to do, but we can track the improvements using the metric, thereby demonstrating its worth (and also show that direction of travel to our clients and regulators).
Governance, Risk and Compliance are always a work in progress. Things change, threats and standards emerge, business needs evolve. Developing an organisation-wide, adaptive and proactive approach to GRC is essential for business of all sizes. You absolutely do not have to be a multi-national with tens of thousands of employees to need GRC; tiny SMEs are just as exposed.
You might get the impression, listening to the tech folk speak of governance, that it’s all about managing the IT stuff. That would be a mistake. The point here is that the various tools that IT might adopt are only part of the story.
Microsoft Purview, Sharegate’s excellent Apricot or any of a mixed bag of other governance tools all have their place, but any suggestion that the ‘GRC Complete’ box can thereby be ticked off hints at a failure of understanding or leadership. Establishing GRC within your organisation is going to take effort; Microsoft have given you a great ‘leg up’ on that, but the rest is on you as a leader or owner in a business and your team. Use the tools to control your digital environment, think about what they are assessing, actioning and reporting and how these might apply to Health and Safety, HR obligations, Companies House and other corporate obligations. Think about those things your company does that are not wrapped in data, communication and content and ensure you are as diligent there too.
In the morning it has taken me to write this blog and play with some more Purview settings we have increased our Compliance Score from 73% to 76%. Most of that was by creating and applying Sensitivity labels. Far more significantly, we have introduced some better practices and controls within our company that will reduce our personal and corporate risk and enhance some of our operations.
For definitions of Governance, Risk and Compliance, see https://docs.microsoft.com/en-us/microsoft-365/community/microsoft365-maturity-model–governance-and-compliance#definition-of-this-competency