 |
Governance, Risk and Compliance efforts at companies are nothing new. Organizations have implemented processes and technologies to identify, manage and report on risks and compliance for decades. Only in the last 10 years or so has the term GRC been invoked to capture the overall concept of an organized, methodical approach to this core business need. OCEG just released their 2015 GRC Maturity Survey and the report contains interesting insight into the progress GRC has made in organizations today. Seventy-five percent of the respondents in the survey indicated headway in integrating GRC processes. While this is somewhat intuitive, given that companies have made GRC a greater priority in the last few years, the most telling indicator of the value of a strategy of unifying GRC is the benefits denoted in the survey. A whopping 90% of respondents stated the integrated approach to GRC has either met or exceeded expectations– 90%! Even a majority would have been a solid endorsement for building a comprehensive, united program. This overwhelming response signifies a deeper impact when governance, risk and compliance efforts are combined. There is a force multiplier effect when processes and data from these labors are blended. The survey goes into much greater detail highlighting individual benefits of integrated GRC programs vs. silo approaches. However, the leading barrier of building an integrated approach is the lack of champions to build and carry out a vision. We see this obstacle many times in working with our customers in implementation of GRC programs. Organizational flux is a major risk to any effort that requires dedication, continuous development and ongoing maintenance – as GRC does. When an organization makes strides in improving risk and compliance efforts, a shift in management, business strategy or organizational structure can derail even the most thought-out strategy. Here are some recommendations on keeping the GRC integration movement alive in your company: Champions ARE incredibly important: When an organization decides to truly put its best foot forward in managing risk, it cannot be a side project or added responsibility. Building a network of champions – that understand the business and the risks it faces – can be a challenge but the reward is great. GRC champions must be incented to see the journey through and disruptions must be anticipated. Engaged stakeholders are the foundation: Even if you have champions that are passionate about GRC, without engaged stakeholders – those lines of business and management closest to managing the risk – it will be an uphill battle to integrate processes and share data. The most successful GRC implementations connect the risk and compliance effort to improving the daily work of the front line. Making it easier to meet risk and compliance obligations should be a key focus when rolling out GRC programs. The sum is greater than the parts: GRC programs have multiple segments. Processes that identify and catalog risks may be separate from those processes that design and implement controls. However, when you put those processes together (a key tenet of integrated GRC), the impact is much greater. How risk is being managed (via controls) and why controls are implemented (to manage risk) is much clearer. GRC has many opportunities to improve processes simply by informing other parts of the program. A roadmap strategy whereby these parts are put together should be designed and form the basis for an integration strategy. The OCEG survey is another data point to consider when building your business case for continuously improving your GRC program. Organizations that hit the pause button on pushing their GRC initiatives – and the reasons for this are many (budget, resources, lack of priority, focus, organizational changes, etc.) – lose traction and eventually will have a harder hill to climb when they pick up the effort. Utilizing surveys and industry input like the OCEG survey is critical in maintaining a healthy dialogue with executive management on the importance of keeping the program moving forward. Integrated GRC is a critical foundation for an organization faced with the competitive, risk filled market today and should be the ongoing goal of any GRC effort. The post GRC Integration = Business Value appeared first on Speaking of Security - The RSA Blog and Podcast. |
