Looking for guidance on how to develop and execute a successful GRC program? In this article Sumner Blount highlights 7 best practices that can lead you on the path to Governance, Risk and Compliance (GRC) success.
Many companies are attempting to unify, and hopefully streamline, their risk and compliance information, activities and programs. Although the benefits of this approach can be significant, so are the challenges.
I recently attended the GRC Summit 2009 in Boston, and there was a panel session in which some key success factors were developed and discussed. This will summarize and discuss some of these key GRC success factors.
In looking at this area, it goes without saying that “no one size fits all.” Your team may choose not to focus on one or more of these areas, or conversely, you might decide to devote extensive resources to a specific area. The point here is that a number of smart risk and compliance professionals view these factors as being key to the probable success of a GRC effort.
1) Establish a Risk Council
Make sure that your organization is set up to facilitate a holistic approach to risk management. In particular, a cross-functional group needs to have responsibility of overseeing your overall risk management efforts.
2) Identify Your Compliance Information
This is a simple way of saying “know what information you need, what you have, and where it is.” You won’t be able to eliminate your compliance silos until you have identified and categorized all your compliance information, where it resides, and who owns its creation and maintenance.
3) Build a Common System of Record
As you struggle with your compliance silos and multiple spreadsheets that get passed around (and become inconsistent with each other), the need for a centralized approach to compliance and risk information becomes clear. Banish those spreadsheets, and centralize your information into a repository (a single source of truth) that stores and cross-references all your critical information. This not only helps ensure that you have the latest status at all times, but it enables you to see the impact on all areas of your GRC efforts when a given parameter changes (such as a failed control that impacts a number of risk and compliance programs).
4) Establish End-to-End Risk Management Processes Across the Silos
Your risk management program should strive to achieve a common risk management framework across the enterprise. This means, at minimum, common practices for risk identification, assessment, and monitoring across all organizations. Without such consistency, effective communication about risk will be challenging if not impossible.
5) Establish Automated Controls Monitoring
Manual monitoring of your compliance controls is not a stable or scalable approach. Moving to an environment of automated controls monitoring is important to reduce your total compliance costs, and improve the quality (accuracy, timeliness) of your compliance information.
6) Automate the GRC Management Process (Workflow)
Many compliance and risk processes (e.g., risk assessments) are often manual and even paper-based. This results in lower quality information (because it can be stale even before it gets to its target), high costs, delay, and reduction in productivity. By automating as many compliance processes as feasible, you can help to streamline these processes, and reduce your total costs.
7) Align IT Risk Management with ERM
Ideally, you’d like your IT risk management efforts to be a subset of your overall ERM activities. But, regardless of how you decide to manage these related efforts, it is very important to make sure your approach to enterprise and IT risk is similar, in terms of managing risk processes, communicating risk appetite to all groups, etc. Everyone on the “front lines” should see risk management from their vantage point as being a consistent approach to risk across all functional and business units.
There are many, much more tangible success factors that you could pick for a GRC initiative. These could include the amount of cost savings, number of FTEs that were freed up, total number of compliance controls, cost and time required for compliance audits, and other such “hard numbers.” Still, it’s always good to keep in mind the slightly less quantifiable factors mentioned above, in order to enable you to develop your strategic GRC goals, and then evaluate how well those goals have been met.