Short introduction from Hannes Lubich
In many organizations, the systematic handling of operational and conceptual risks within the framework of corporate governance and compliance on the basis of corresponding legal and regulatory requirements is more of an art than a well-established practice – there are often large gaps between requirements, supposed “best practices” and corresponding checklists on the one hand, and the lived reality with its practical constraints, relevant conditions and conflicts of interest on the other hand. It is less a question of whether anything should be done in the GRC area at all, but rather how the respective "good enough" status is defined, how it can be achieved and how it can be maintained in the face of ever-changing requirements. There are enough theories, methods and tools for this, but the implementation in practice shows that there is a broad gray area between the maximum demand and "sitting out" the status quo, in which personal experience of proven and less suitable approaches plays a greater role than following a "textbook approach".
Within this context, it makes sense to invite practitioners from various affected areas (governance, risk management, compliance, audit, service management, project management, information security, data protection, etc.) to an informal exchange of experiences, opinions and open questions, to learn from each other and, if necessary, to identify ideas for new or changed solutions in your own company. The focus should not be on products, new control tools or checklists, but on approaches, procedures and measures that have proven to be particularly effective (or not) compared to other methods and tools.
Roundtable Discussion moderated by Hannes Lubich and Jürgen Stückle, Cyber Security Advisor at BearingPoint