- SharePoint 2010 - 5 Hot Features to Look Forward To
- Selecting a CMS: How to Build a Short List
- Alterian Drops Immediacy, Morello Web CMS Brands
- Installing SharePoint 2010 on Windows 7
- How SharePoint 2010’s Metadata Services Increase Usability
- Gartner’s Top 5 BPM Predictions for 2010 And Beyond
- Open Text Reports Good Q2, Vignette Contributes to YoY Spike
Get the Newsletter7 Success Factors for Effective GRC
Looking for guidance on how to develop and execute a successful GRC program? In this article Sumner Blount highlights 7 best practices that can lead you on the path to Governance, Risk and Compliance (GRC) success.
Many companies are attempting to unify, and hopefully streamline, their risk and compliance information, activities and programs. Although the benefits of this approach can be significant, so are the challenges.
I recently attended the GRC Summit 2009 in Boston, and there was a panel session in which some key success factors were developed and discussed. This will summarize and discuss some of these key GRC success factors.
In looking at this area, it goes without saying that “no one size fits all.” Your team may choose not to focus on one or more of these areas, or conversely, you might decide to devote extensive resources to a specific area. The point here is that a number of smart risk and compliance professionals view these factors as being key to the probable success of a GRC effort.
1) Establish a Risk Council
Make sure that your organization is set up to facilitate a holistic approach to risk management. In particular, a cross-functional group needs to have responsibility of overseeing your overall risk management efforts.
2) Identify Your Compliance Information
This is a simple way of saying “know what information you need, what you have, and where it is.” You won’t be able to eliminate your compliance silos until you have identified and categorized all your compliance information, where it resides, and who owns its creation and maintenance.
3) Build a Common System of Record
As you struggle with your compliance silos and multiple spreadsheets that get passed around (and become inconsistent with each other), the need for a centralized approach to compliance and risk information becomes clear. Banish those spreadsheets, and centralize your information into a repository (a single source of truth) that stores and cross-references all your critical information. This not only helps ensure that you have the latest status at all times, but it enables you to see the impact on all areas of your GRC efforts when a given parameter changes (such as a failed control that impacts a number of risk and compliance programs).
4) Establish End-to-End Risk Management Processes Across the Silos
Your risk management program should strive to achieve a common risk management framework across the enterprise. This means, at minimum, common practices for risk identification, assessment, and monitoring across all organizations. Without such consistency, effective communication about risk will be challenging if not impossible.
5) Establish Automated Controls Monitoring
Manual monitoring of your compliance controls is not a stable or scalable approach. Moving to an environment of automated controls monitoring is important to reduce your total compliance costs, and improve the quality (accuracy, timeliness) of your compliance information.
6) Automate the GRC Management Process (Workflow)
Many compliance and risk processes (e.g., risk assessments) are often manual and even paper-based. This results in lower quality information (because it can be stale even before it gets to its target), high costs, delay, and reduction in productivity. By automating as many compliance processes as feasible, you can help to streamline these processes, and reduce your total costs.
7) Align IT Risk Management with ERM
Ideally, you’d like your IT risk management efforts to be a subset of your overall ERM activities. But, regardless of how you decide to manage these related efforts, it is very important to make sure your approach to enterprise and IT risk is similar, in terms of managing risk processes, communicating risk appetite to all groups, etc. Everyone on the “front lines” should see risk management from their vantage point as being a consistent approach to risk across all functional and business units.
There are many, much more tangible success factors that you could pick for a GRC initiative. These could include the amount of cost savings, number of FTEs that were freed up, total number of compliance controls, cost and time required for compliance audits, and other such “hard numbers.” Still, it’s always good to keep in mind the slightly less quantifiable factors mentioned above, in order to enable you to develop your strategic GRC goals, and then evaluate how well those goals have been met.
About the Author
Sumner Blount has been associated with the development and marketing of software products for over 25 years. He has managed the large computer operating system development group at Digital Equipment and Prime Computer, and managed the Distributed Computing Product Management Group at Digital. More recently, he has held a number of Product Management positions, including Product Manager for the SiteMinder product family at Netegrity. He is currently focusing on GRC solutions at CA.
Was this article useful?
Email It
Stumble It
Add RSSBe the First to Comment
Processing...
From our Job Board View all jobs
| 
Jobs RSS feed
| Post a job right now
Featured Events View all events
| Events RSS feed
| Add your event
- Feb 17, 2010 – Webinar: 4 Essential Strategies for Advancing Your Website's Business Impact
- Feb 26, 2010 – Intelligent Content 2010
- Apr 21, 2010 – Drupalcon San Francisco 2010
- May 5, 2010 – CMS Expo 2010 (Evanston)
- Oct 7, 2010 – HartmanEVENT 2010 - Social Media & Mobile Usability
