Wednesday, February 12, 2014

Five Simple Questions Core to GRC Program Success

  As I work with customers on their journey to a unified GRC program, it often seems an insurmountable task.  But, as they say, every journey begins with the first step. And, often the first step is about sitting back and taking the time to really ask yourself, what is it that we need to accomplish? What’s the desired end state? From that introspection comes a set of questions, that when answered, form the basic building blocks of a GRC program:
  • What is our end-to-end GRC program and what do we need to invest in to achieve our goals?
  • How can we align business requirements with our policies and day-to-day operating processes?
  • What is our real exposure and what controls need to be implemented to contain risks?
  • How can we leverage technology to manage GRC holistically across the enterprise?
  • How can we govern our GRC processes across silos and stakeholders?
Let’s take them one by one.
What is our end-to-end program and what do we need to invest in to achieve our goals?
This question begs us to build a strategy, a plan, a roadmap. Here maturity assessments are essential – they help us focus the lens on high priority initiatives that will get us to the target state.  It forces us to define the scope of the program – across what business units – IT, Operations, Finance or Legal? It’s about adopting the right principles to drive GRC – process efficiency, visibility, transparency, accountability. This question leads us to consider how we will measure success, what metrics are important. And to examine and be realistic about constraints – such as how the program can be funded. It raises issues of prioritization and what is and is not on the roadmap.
GRCProgramelements

How can we align business requirements with our policies and day-to-day operating processes?
This question is really about how we align business processes and procedures with policies and controls. It forces us to look at our policy framework and how it is enforced.  Do we take an information-centric approach to risk and a risk –centric approach to security?  Do we take a pragmatic approach to do the right things well, such as enforce policies at the point of use? Do we have a strong training and awareness program in place to keep a culture of risk awareness growing in our organization? This question makes us to look beyond our boundaries, to other stakeholders, including regulators and third parties that are critical to our business to ask how we ensure our policies are embraced by our partners and customers.

What is our real exposure and what controls need to be implemented to contain risks?
This question has us reflect on the value of our assessments and audits – in what way do they help us understand our most critical business processes and most sensitive information? How do we put boundaries around real exposures that matter the most to our organization? This is the heart of risk management, compliance and controls testing. This question makes us think about risk monitoring and reporting – do we know what they are and are they prioritized in a hierarchy and risk register? This question makes us consider how we leverage common methods in evaluating risks, what rating schemes we use and how we can harvest risk information from performance management and quality systems that provide us insight into KPIs and KRIs.

How can we leverage technology to manage GRC holistically across the enterprise?
This question forces us to look thoughtfully at the entire GRC technology eco-system in play with the organization, and extending to through virtual environments to our customers and partners. We contemplate its architecture and how it will need to evolve over time to meet ever-changing business requirements.  Do we have a single version of the truth, a central platform for managing GRC? How can we leverage technology to ‘test once, analyze across, report many’?

How can we govern our GRC processes across silos and stakeholders?
Finally, we consider governance – what is the accountability framework for making decisions on risk, and who in the organizations truly has decision rights? Who owns risk and what is the organization’s appetite for risk? What nomenclature is used, and how to we strive to inculcate a common language to talk about, understand and act on and remediate risk? Finally, how do we monitor our environment, what metrics do we use and how do we respond to incidents? This question compels us to improve operations and incidence response – so that we are prepared in the event of a crisis, disaster or breach.

Whether it is trying to understand the end-to-end program and what investments need to be made, or diving into the detail of aligning business requirements with policies and day-to-day operating processes, or responding to incidents - implementing a unified GRC program forces us to move up the maturity curve.

Call to action for you: Take some time to think about these questions. Share your thoughts with your colleagues. You may find yourself starting to work on these building blocks together, and building a solid vision for comprehensive end-to end- GRC program – and find it is not such an insurmountable task!

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.