Spreadsheets are powerful. But they are also fragile. When I first worked on an ISO 27001-aligned risk register, it looked structured and complete. Assets were listed. Threats were documented. Likelihood and impact were scored. Controls were mapped to Annex A. Everything seemed organised. But something important was missing. Consistency. That’s when I decided to automate the scoring model using Python. Not to replace governance but to strengthen it. The Problem With Manual Risk Scoring Risk registers often rely on manual scoring: Even with good intentions, this introduces: Governance works best when it is defensible and repeatable. Automation helps achieve that. The Model: How the Risk Scoring Worked The goal was simple: Take a structured ISO 27001 risk register and build a consistent, automated scoring engine. The Python-based model: Instead of manually scanning rows, the model produced a prioritised risk list instantly. What changed was not just speed it was clarity. Why Impact Was Calculated Using the Worst-Case CIA Value In ISO 27001 risk assessments, impact is often linked to Confidentiality, Integrity, and Availability. Rather than averaging these values, I calculated impact using the maximum CIA score. Why? Because a severe impact in any one dimension can materially affect the business. For example: Using the maximum value aligns better with real-world risk severity. This small design decision makes the model more conservative and more realistic. From Risk Score to Risk Category After calculating RiskScore, the model categorized risks: This step matters. Leadership rarely responds to raw numbers.They respond to thresholds and priorities. By defining consistent scoring bands, the model ensures: Automation removes ambiguity from categorisation. What the Ranked Output Revealed Once automated and sorted, patterns became clearer. Assets such as: Scored among the highest risks. These are common enterprise risk drivers. The automation did not create new risks.It revealed them clearly. That clarity supports strategic decisions:
From Spreadsheet to Strategy: How Risk Assessments Support Business Decisions
Amara stared at the spreadsheet longer than she expected. Rows of risks.Columns for likelihood, impact, controls, ownership.Numbers that looked simple at first glance. But the more she worked through it, the more she realised something important: This wasn’t just documentation. It was a map of how a business could fail. And more importantly, how it could decide what to protect first. A Risk Assessment Is Not a Compliance Exercise Many people see risk assessments as: But when done properly, a risk assessment forces one hard question: What could hurt this business the most and are we prepared? That question shifts everything. Because risk is not technical first.It is business first. A vulnerability only becomes a risk when it threatens: That’s where strategy begins. When Numbers Turn Into Priorities In the spreadsheet, each risk had: On paper, it looked structured and calm. In reality, those numbers determine: This is where risk assessment becomes strategic. Because leadership does not act on fear.They act on prioritisation. A well-built risk assessment translates technical concerns into business language. The Power of Risk Ownership One column stood out to Amara more than the others: Risk Owner. This is where risk stops being abstract. When ownership is clear: Without ownership, risks sit in spreadsheets. With ownership, they enter conversations. And conversations drive strategy. Risk Appetite: The Silent Decision-Maker Another realisation came while scoring risks. Not all high risks are treated the same. Some are mitigated immediately.Some are monitored.Some are accepted. Why? Because every business has a risk appetite. A startup might accept more risk to move faster.A regulated company may tolerate far less. Risk assessment is not about eliminating all risk.It is about making conscious trade-offs. That’s strategy. Controls Are Investments Each risk in the spreadsheet required a decision: Controls cost time and money. So every mitigation choice is an investment decision. When risk assessments are done well, they help leadership answer: This is how GRC supports business objectives. Why This Matters in Tech Companies Tech companies move fast. New features.New integrations.New markets. Without structured risk visibility, growth creates blind spots. A risk assessment: It allows companies to scale without guessing. That’s not bureaucracy. That’s operational intelligence. From Spreadsheet to Strategy At first glance, a risk assessment looks like rows and formulas. But underneath, it represents: The spreadsheet is only the container. The real value is the thinking behind it. Risk assessments are not about filling templates. They are about helping organisations decide clearly and confidently what matters most. And that is where governance becomes strategy.
Why Good GRC Starts With Understanding How Work Really Happens
Amara followed the procedure. At least, she tried to. The manual said one thing.The situation in front of her was saying something else. There was pressure, limited time, and competing priorities. Everyone around her was doing their best to keep things moving safely. The procedure was not wrong but it was not written for this exact moment. In aviation, moments like this are taken seriously.Not to blame anyone, but to ask a better question: Is our governance aligned with real work? That question sits at the heart of good GRC. The Gap Between Work as Written and Work as Done Every organisation has policies, procedures, and rules.They describe how work should happen. But real work rarely follows a straight line. People: This is not carelessness.It is reality. In aviation, this gap is openly recognised. Procedures are reviewed, updated, tested, and adjusted based on how work actually happens not how it looks on paper. Good GRC works the same way. Why Policies Fail When They Ignore Reality Many security policies fail not because people don’t care, but because they don’t fit real workflows. When policies: people find ways around them. Not to be reckless but to get the job done. This is where GRC is often misunderstood. GRC is not about enforcing rules at all costs.It’s about designing governance that supports business objectives in the real world. Aviation Treats Procedures as Living System In aviation, procedures are not static documents. They are: If a procedure doesn’t work in practice, it’s the procedure that gets questioned not the person. This is governance done well. It recognises that: That mindset is powerful in cybersecurity. What This Means for GRC in Cybersecurity In cybersecurity, GRC sits between: To do that well, GRC must understand how work really happens across the organisation. That means: This is not weakness.This is good risk management. You cannot manage risks you don’t understand. Good GRC Translates Risk Into Real Action When GRC understands real work, it can: This is how GRC supports business goals. Just like aviation governance supports: GRC supports: Why This Perspective Matters Cybersecurity is becoming more complex every year. More tools.More alerts.More pressure on people. Without governance grounded in reality, security becomes fragile. But when GRC is built around how work actually happens, it becomes a strength not a burden. Why This Matters to Amara Coming from aviation, Amara learned early that safety is not created by perfect rules. It is created by: That’s why GRC feels familiar. At its best, GRC does not police people.It supports them. It connects governance to real work, real risks, and real business needs. And that is where good GRC always starts.
Cloud Security Fails When Responsibility Is Unclear
One of the biggest lessons I am learning as I explore cloud security through a GRC lens is this: Cloud security doesn’t usually fail because tools are missing.It fails because responsibility is unclear. In the cloud, everything feels shared. Infrastructure, platforms, applications, data. And when things feel shared, responsibility often becomes blurred. Everyone assumes someone else is handling security until something goes wrong. That’s where Governance, Risk, and Compliance (GRC) come in. Governance: Defining Who Owns What Governance answers one simple but powerful question:Who is responsible for what? In cloud environments, governance defines: Without clear governance, security tasks fall into gaps. Controls exist, but no one is accountable for them. Decisions are made without clarity, and risks quietly grow. Governance creates structure so responsibility is not assumed it is assigned. Compliance: Making Responsibilities Visible Compliance turns responsibility into something measurable. Policies, standards, and regulatory requirements force organizations to document: In the cloud, compliance helps ensure that security expectations are not just understood but followed consistently. It provides proof that responsibilities are being met not guessed. Without compliance, responsibility becomes informal and unreliable. Risk: What Happens When No One Owns It Risk thrives in uncertainty. When responsibility is unclear: Risk management in GRC asks: Cloud risk is not just technical. It is organizational. Why This Matters Cloud providers secure the infrastructure but organisations are responsible for how they use it. This shared model only works when responsibility is clearly defined. When it isn’t, security fails quietly until it doesn’t. On a Final note…. Cloud security is not just about tools or platforms. It’s about: When responsibility is unclear, cloud security fails.When GRC is strong, responsibility is clear and security has a fighting chance.
Cloud Security Isn’t Just Tools It’s a Chain (And GRC Holds It Together)
I just started learning about cloud security in GRC, I assumed it would mostly be about tools firewalls, access controls, dashboards, and configurations. But very quickly, I realized something important: Cloud security is not a single tool. It’s a chain. And like every chain, it is only as strong as its weakest link. In cloud environments, security works in layers that depend on one another. If one layer is ignored, the entire structure becomes fragile. This is where GRC (Governance, Risk, and Compliance) quietly does the heavy lifting. The chain starts with laws and regulations. These are the rules set by governments and regions data protection laws, privacy requirements, and industry mandates. They define what must be protected and why it matters. Without laws, there is no obligation to secure data properly. Next come frameworks. Frameworks translate legal and business expectations into structured guidance. They help organizations understand how to approach security in a consistent way across cloud environments. Then we have standards. Standards turn frameworks into measurable expectations. They define what “good security” should look like in practice, making it easier to assess whether an organization is meeting its obligations. From standards flow controls. Controls are the actual actions taken access restrictions, logging, encryption, identity management. This is where many people think cloud security starts, but in reality, it’s already several steps into the chain. Finally, there are metrics. Metrics answer one simple question: Is any of this actually working? They help organizations measure effectiveness, spot weaknesses, and improve continuously. Break one link ignore laws, skip frameworks, poorly implement controls, or fail to measure outcomes and cloud security fails faster than expected. This is why cloud security and GRC are deeply connected. GRC ensures the chain stays intact, aligned, and accountable. It reminds us that security isn’t just about technology it’s about structure, responsibility, and follow-through. Cloud security doesn’t collapse because tools are missing.It collapses because connections are broken. And GRC exists to make sure they aren’t.
Why Human Error Is Not Human Failure
Why Human Error Is Not Human Failure In cybersecurityand especially in GRC human error is often treated like a flaw. A weakness. Something to blame when things go wrong.But the truth is simpler and more honest: Human error is not human failure. It is human nature. People forget.People get tired.People rush.People trust.People multitask. That doesn’t make them careless. It makes them human. If systems were only attacked by breaking code, security would be much easier. But attackers understand something important: humans are part of every system. That’s why most incidents don’t start with sophisticated hacking tools they start with a click, a response, a moment of urgency, or misplaced trust. When an employee clicks a phishing link, it’s not because they are foolish. It’s often because the message was designed to exploit emotions like fear, authority, or opportunity. When someone reuses a password, it’s usually because convenience feels necessary in a fast-moving world. These are not failures of character; they are predictable human behaviors. This is exactly why GRC exists. Policies, controls, training, and procedures are not there to punish people they are there to support people. GRC assumes humans will make mistakes and designs guardrails around that reality. It focuses on reducing the impact of errors, not pretending they won’t happen. That’s also why phrases like “just be more careful” don’t work. Awareness alone doesn’t stop incidents. Preparation does. Clear processes do. Verification does. Backup plans do. In GRC, success isn’t about eliminating human error. It’s about expecting it, planning for it, and minimizing harm when it happens. That mindset shifts security from blame to resilience. When organizations stop asking, “Who messed up?” and start asking, “Where did our controls fail to support people?” security improves. Because strong security isn’t built on perfect humans.It is built on realistic systems designed for imperfect ones. And that is not weakness.That is business continuous strategy.
Why Policies Exist, Because People Are Human
Policies often get a bad reputation. People see them as restrictive, boring, or unnecessary. Sometimes they feel like obstacles rules that slow things down or make work harder than it needs to be. But as I continue to learn about GRC, I am beginning to understand something important: Policies don’t exist because people are bad.Policies exist because people are human. Humans Are Predictable Not in a negative way but in a very real way. Humans: These behaviours show up in life, at work, and online. And when systems depend only on “doing the right thing,” risk quietly grows. Policies exist to guide behaviour when emotions, pressure, or distractions take over. Policies Create Consistency People don’t all think or act the same way. Without policies: Policies bring consistency. They ensure that when situations arise, there is a shared understanding of what should happen, no matter who is involved. That consistency reduces risk. Policies Support People Under Pressure When something goes wrong, people panic. In those moments, policies act like a reference point. They remove guesswork and reduce emotional decision-making. Instead of asking:What should I do right now? Policies answer:This is what we do. That clarity protects both people and organisations. Policies Are Preventive, Not Punitive A common misconception is that policies exist to punish. In reality, policies are designed to: They are guardrails not handcuffs. Why This Matters in GRC GRC doesn’t assume perfection. It assumes: Policies are one way GRC helps organisations prepare for those moments. They don’t remove risk.They help manage it. Outside of cybersecurity, policies exist everywhere: They exist not because people can’t be trusted but because structure keeps things working when human behaviour becomes unpredictable. On A Final Note… Policies are not the enemy. They are a recognition of reality. People are human and humans need guidance, clarity, and structure to reduce risk and protect what matters. That is why policies exist.Not to control people.But to support them.
Why Being Warned Is Not the Same as Being Prepared
As I continue learning about GRC, one thing is becoming very clear to me: Being warned does not mean being prepared. At first, I thought warnings were enough. If a system alerts you, if a message pops up, if someone tells you “this is risky,” then surely that should protect you right? But real life doesn’t work that way. Warnings Don’t Change Behaviour We see warnings everywhere: Most of the time, we click past them. Not because we don’t understand them but because we are most times distracted, hopeful, tired, or in a hurry. Sometimes we think, “This can’t happen to me.” A warning only informs you.It doesn’t prepare you. Preparation Is Mental, Not Just Technical Preparation means: In GRC, this is important. A warning might say, “This action is risky.”Preparation asks, “What happens if I continue, and am I ready for the consequences?” Why GRC Focuses on Readiness GRC exists because organisations know that: So instead of relying on warnings alone, GRC encourages: This turns information into action. Life Teaches This Lesson To Life itself is full of warnings. We are warned that things can go wrong; health, finances, relationships, careers. But preparation is what helps us cope when they do. Preparation doesn’t remove risk.It helps us handle it better. That is the same mindset GRC brings into cybersecurity. I am beginning to understand that security is not about avoiding mistakes completely. It is about: Warnings are helpful.Preparation is powerful. A warning tells you something could go wrong.Preparation helps you survive when it does. That is why in GRC, awareness alone is not enough.Readiness is what truly reduces risk. And this is a lesson I am still learning one step at a time.
Risk Management Starts With People, Not Systems
When people talk about risk in cybersecurity, the focus is often on systems servers, networks, software, and tools. But as I continue to learn about GRC, one truth keeps standing out to me: Risk management doesn’t start with systems.It starts with people. Before a system fails, a human decision is usually involved. When Risk Warnings Are Ignored When my Facebook page was taken over, I was warned. The platform showed me a message explaining the risk if I accepted access. I saw it. I read it. But in that moment, I was blinded by opportunity and trust, and I went ahead anyway. I learned the hard way. The system did its job; it warned me.The risk wasn’t hidden.The decision was human. People Create Risk Without Meaning To Most risks don’t come from bad intentions. They come from normal human behaviour: Systems don’t ignore warnings.People do. That’s why risk management focuses on people first. Life Itself Is Risk Risk is not limited to cybersecurity. When I was going to give birth, there were risks involved. That’s part of life. But the presence of risk didn’t stop the process; it required preparation. Doctors explained the risks.Plans were made.My mind was prepared to handle whatever came. That is what risk management looks like in real life. How This Connects to GRC GRC works the same way. It doesn’t pretend risk doesn’t exist.It acknowledges it and asks: GRC is about mental readiness as much as technical controls. Why Systems Fail After People Do Firewalls don’t panic.Software doesn’t feel rushed.Servers don’t trust strangers. People do. That’s why systems fail after people do. What I am Learning as a Beginner As someone still learning GRC, this is what I understand so far: Risk management is not about fear.It’s about awareness and preparation. We can’t remove risk from life.But we can prepare our minds to handle it. On A Final Note…. Cybersecurity tools matter.Systems matter.Technology matters. But risk management starts with people their decisions, their emotions, and their readiness. GRC simply helps us prepare for reality. And the more I learn, the more this human-first approach makes sense.
Why GRC Is More Than Paperwork
When people hear GRC (Governance, Risk, and Compliance), the first thing that comes to mind is paperwork. Policies. Documents. Checklists. Forms. Endless writing. I used to think the same. But the more I learn about GRC, the more I realise something important: GRC is not about paperwork.Paperwork is the evidence. The real work of GRC happens long before a document is written and long after it has been filed away. Policies, reports, and documents don’t exist for decoration. They exist to answer real questions: The paperwork is simply how organisations record decisions that protect people, systems, and business operations. GRC Is About Thinking Ahead At its core, GRC is about anticipation. It asks: That’s not paperwork.That’s foresight. What Aviation Compliance Taught Me About GRC As a flight attendant, compliance was never optional it was my reality. One of the most important compliance requirements in aviation is our cabin crew licence. Every year, that licence must be renewed. But renewal is not automatic. Before it is approved, we must: Only after meeting all these requirements is the licence submitted for renewal. Medical fitness is also part of compliance.If you are under 40, your medicals are renewed every two years.If you are over 40, they are renewed every year. Recently, I went for my medicals and was told I now need to wear glasses. That information was recorded on my licence. From that moment, compliance became very clear to me: Even if my licence is renewed, if my glasses are not ready, I am not fit to fly. No excuses.No shortcuts.No “almost compliant.” That is compliance in real life. How This Relates to GRC GRC works the same way. You can have policies.You can pass audits.You can tick all the boxes. But if you are not complying with the actual requirements based on your role, your region, and your responsibilities then you are still a risk. In GRC: Just like aviation, compliance is not about punishment.It is about safety, readiness, and trust. Why This Changed My Perspective This is why GRC feels familiar to me. It is not paperwork for paperwork’s sake.It is about ensuring people, systems, and businesses are fit to operate before something goes wrong. A licence is proof.A medical is proof.A policy is proof. But the real work happens in preparation, discipline, and accountability. That’s why GRC matters.And that’s why it has always felt like home to me even before I knew its name.