5 tips to turn your GRC into a business enabler
In Episode 5 of The SAFE Cyber Risk Podcast, host Pankaj Goyal, Chief Operating Officer at SAFE talks to Rob Tennant, Deputy Chief Information Security Manager at Cotality. Rob shares invaluable insights on GRC: How to approach risk management, governance, and continuous monitoring in today’s dynamic digital world. Watch the podcast now!
Disclaimer: This episode was recorded prior to CoreLogic’s rebrand. Please note that CoreLogic has since transitioned to Cotality. Any references to “CoreLogic” in this episode should be understood as referring to Cotality.
Here are five key takeaways from the conversation:
1. Manage the Most Critical Risks First
Rob urges businesses to embrace risk management as an ongoing, dynamic process. Cyber risk leaders must strive for informed decision-making, and understand the consequences before diving into any venture. Risk management isn’t about eliminating all risk.
As Rob put it, every business takes measured risks, but what matters is how you manage those risks. “Any company that I’ve been a part of – it’s not risk elimination. You have to manage the risk you have. We’re in business to take a measured risk.”
2. Invest in Continuous Cyber Risk Monitoring
In an era where risks evolve by the hour, Rob stressed the importance of continuous monitoring. “Gone are the days in my mind where you do your risk assessment in January and then you come back and maybe you do it in June.”
To successfully reduce risk exposure, a key arsenal in every risk leader’s docket is a continuous risk assessment approach.
3. In GRC, Risk Comes First, then Governance and Compliance
Many GRC frameworks focus first on compliance and governance, but Rob sees risk as the driving force that shapes these functions. “Risk is the thing that’s leading the way… you put the governance and you put the compliance around it.”
Rob explained how, in many cases, focusing on compliance can distract from addressing the real risks that businesses face. By putting risk management at the forefront, organizations can better align their security strategies.
4. Real-time Cyber Risk Management Is Crucial
Cyber risks are fast-moving, and so should be your response. Rob described his typical day, highlighting how quickly new threats can appear and how he adapts to them. “We see things happen on the other side of the world that introduce risk for us… maybe there’s a threat actor that has launched a ransomware campaign or there’s a new zero-day that we have to be aware of.”
He emphasized the importance of automation and real-time monitoring to quickly identify and respond to emerging risks. Speed is crucial in the battle against cyber risks.
5. Cybersecurity as a Business Enabler
One of the more nuanced points Rob raised was the role of cybersecurity as a business partner. While many teams fear security will slow them down, Rob views purposeful friction as necessary — not to halt innovation, but to ensure it happens responsibly. “I don’t want to cause too much friction, but I do want to cause some level of friction… to where we’re kind of saving ourselves from ourselves.”
He advises businesses to strike the right balance. Security should enable the business — but also act as a critical checkpoint when needed.
Effective cyber risk management is not about rigid frameworks or periodic checklists — it’s about adaptability, business alignment, and informed decision-making. Whether it’s explaining risk to a boardroom or rethinking third-party exposure in an evolving ecosystem, the SAFE One platform enables business leaders across enterprise, third-party, and AI-related risk management using Agentic AI.
SUBSCRIBE TO WEEKLY BLOG NEWSLETTER
SHARE THE PAGE
