22-24 May 2023: European Collaboration Summit | In-person: Dusseldorf, Germany Real World Governance, Risk and Compliance - adopting Microsoft Purview and beyond by Nikki Chapple and Simon Hudson Governance, Risk and Compliance; it's not an IT task, it's a business programme. While every organisation needs to 'do' GRC, not everyone has the expertise, has defined a strategy or has developed the tools and processes. Microsoft Purview has breadth and depth, but even it is just one of the tools your organisation needs and needs to be extended with people, processes and other technologies. This session will provide: - An overview of GRC obligations and approaches - An overview of what's in Purview and what's not - A pragmatic approach to elevating your Compliance Score - Wider technical and business thinking for derisking your operations and organisation - A perspective from a Senior Information Risk Officer in a regulated company - Thoughts on using the Maturity Model for Microsoft 365 GRC Competency to monitor your programme of work.

1. 10TH ANNIVERSARY JUBILEE EDITION OF THE
EUROPEAN COLLABORATION SUMMIT
Real World Governance, Risk
and Compliance
Nikki Chapple, Simon Hudson
Adopting Microsoft Purview and beyond

4. 10TH ANNIVERSARY JUBILEE EDITION OF THE
EUROPEAN COLLABORATION SUMMIT
Simon Hudson
Founder, Cloud2, Kinata, Novia
Works
20+ years innovating with
Microsoft technologies
Entrepreneur in Residence,
University of Hull
M365 North user group host
simon@noviaworks.co.uk
@simonjhudson
Nikki Chapple
30+ years in IT & business
transformation
Specialist Microsoft 365 governance
& compliance
International speaker & blogger
All things M365 compliance Podcast
co-host
Nikki.chapple@cloudway.co
m
@chapplnikki
Nikkichapple.com
Welcome ♥

5. GRC… bane or benefit
What do you feel about
GRC?
Entry Poll

6. Agenda
An overview of GRC (Governance Risk and Compliance) obligations
and approaches
What's in Purview
Pragmatic approaches to elevating your Compliance Score
Wider technical and business thinking for de-risking your
operations and organisation
Thoughts on using the Maturity Model for Microsoft 365 GRC
Competency to set your objectives

7. Governance, Risk and
Compliance…
it's not nice to have
It's The Law
GRC
Security

8. Processes
Governance
Strategies
Policies, Monitoring
Culture
Identify
Analyse
Control
Laws
Regulations
Controls
Activities
Elements
of
Governance,
Risk,
and
Compliance

9. Data is exploding Data regulations are increasing Risks of not being compliant
Protecting data has become
more challenging We need to simplify
compliance and to reduce risk
Why do we need Governance, Risk &
Compliance?

10. The risks of not being compliant
Loss of trust
and
Reputational
damage
Operational
/ Financial
impacts and
loss
Fines

11. Meta - €1.2bn
(Ireland)
Largest GDPR fine
ever, was imposed
for Meta's transfers
of personal data to
the U.S. on the
basis of standard
contractual clauses

12. Reference: Numbers
and Figures | GDPR
Enforcement Tracker
Report 2022/2023
(cms.law)
GDPR Fines by sector

13. Reference: Data
security incident
trends | ICO
Data security incidents by type - ICO (UK)

14. What are the GRC
compliance
challenges?
Data challenges poll

15. Microsoft
Purview
Comprehensive solutions to help
govern, protect, and manage your
data estate
https://compliance.microsoft.com/homepage
https://azure.microsoft.com/en-gb/services/purview/

16. Microsoft Purview
Comprehensive solutions to help govern, protect and manage your data estate
Understand & govern data
Manage visibility and governance of
data assets across your environment
Safeguard data, wherever it lives
Protect sensitive data across clouds,
apps, and devices
Improve risk & compliance posture
Identify data risks and manage regulatory
compliance requirements
Microsoft ecosystem
Support for multi-cloud, hybrid, SaaS data | Third-party/partner ecosystem

17. Medical
info
Passport
info
Financial
data
Address
Phone #
PII
User
data
Trade
secrets
Revenue
plan
Name
Company
IP
Risks
Data landscape is fragmented creating risks
Data protection is a defense in depth approach

18. Purview in context
Pragmatic approaches to GRC
and the Purview score

19. Governance, Risk and Compliance Assessment
Who, Where, How & When
Current vs.
Future state
People
Technology
Process
Strategy
Regulations
Culture Priorities
GRC Maturity
Recommendations
What & Why
Risk & compliance
stance
Monitor and
Enhance

20. Align the inputs with the demonstrable
action-orientated outputs
Benchmarked against the GRC Competency
https://learn.microsoft.com/en-us/microsoft-365/community/microsoft365-
maturity-model--governance-and-compliance

21. Can Copilot help?
Wouldn’t it be great if Compliance Copilot could help with setting
all this stuff up. Maybe it needs to be exposed to all the
Compliance standards and regulations…
But that’s in the future

22. Compliance Score vs Secure Score
Purview
• Number of elements: 2000+
• Grouped into
• Security, compliance & privacy
• 9 sub-categories:
• Protect information, Govern information, Control
Access, Manage Devices, Protect against threats,
Discover and respond, Manage internal risks,
Manage compliance, Privacy Management
• 350+ Assessment templates
• Board Led
• Business, Process & Technical control driven
• (Documentation, Operational and technical)
• Requires many controls outside the reach of the
M365 /Azure platform
Entra/Defender
• Number of elements: 58
• Grouped into
• Identity, Data, Apps
• Singular security score
• IT Led
• Technical control driven

23. Review and prioritise in Purview
??%

25. The business context
Business
GRC
Corporate
GRC
Purview +
Azure +
other
Microsoft
365
Purview
• GRC doesn’t end at
Purview
• Address/add your other
platforms and Line of
Business systems /
infrastructure
• E.g. Azure, Salesforce
• Think about the wider
business needs

26. Practical steps
Establish board accountability
Agree strategy and priorities
Embed cultural change
Establish a programme for continuous improvement
Select initial focus area in Purview for attention
Build tools & processes outside Purview for non-technical control

27. The Kinata GRC portal

28. Where should you start

29. The Maturity Model levels
100
Start-ups,
new teams
and rapidly
created
processes
• plus failing
functions etc.
200
Maturing
organisations
and teams
• plus inefficient
and at-risk
functions
300
Established
organisations
• Stable but not
class leading
functions
400
Successful/
efficient
organisations,
functions and
processes
• Especially
regulated
functions
500
Best of
breed
• Exemplars
More information on the maturity model

30. What level of GRC
maturity has your
organisation achieved?
GRC Maturity Poll

31. Summary
Establish board accountability and Chief Risk officer role
Agree strategy and priorities
Embed cultural change
Establish a programme for continuous improvement
Select initial priority areas for attention
Build tools & processes outside Purview for non-technical
controls

32. Best Practice
Before you start you need to know where you are now
You cannot go from 1% to 100% in one day
Take crawl-walk-run approach
Manage based on risk
Be realistic. Design something that can be implemented
Involve the right teams

33. GRC… bane or benefit
What do you feel about
GRC?
Exit Poll

34. Governance, risk and
compliance is not a
project, it’s a lifestyle
Start small and grow
Look beyond Microsoft
and definitely beyond
IT

35. 10TH ANNIVERSARY JUBILEE EDITION OF THE
EUROPEAN COLLABORATION SUMMIT
Simon Hudson
Founder, Cloud2, Kinata, Novia
Works
20+ years innovating with
Microsoft technologies
Entrepreneur in Residence,
University of Hull
M365 North user group host
simon@noviaworks.co.uk
@simonjhudson
Nikki Chapple
30+ years in IT & business
transformation
Specialist Microsoft 365 governance
& compliance
International speaker & blogger
All things M365 compliance Podcast
co-host
Nikki.chapple@cloudway.co
m
@chapplnikki
Nikkichapple.com
THANK YOU ♥
Questions?