An effective GRC program isn’t built overnight and is essentially a journey that companies embark on. Many organizations are well ahead on their GRC journey, while others are just starting out. Wherever you find yourself, here are a few critical success factors to keep in mind to optimize your GRC investments.
At the recently concluded MetricStream GRC Summit in Washington DC, one of the speakers remarked that it is no longer just one or two risks that are keeping business leaders up at night – it’s all of them. Geopolitical risks, digital disruption risks, third-party risks, compliance risks – they’re all growing more complex, more numerous, and more interconnected. A data breach, for instance, isn’t just a cybersecurity risk any longer; it has reputational, compliance, and operational implications as well. Organizations that don’t understand these interrelationships could fall prey to a number of risk issues.
Similarly, the risk universe cannot be managed in isolation from other aspects of the business any longer. It impacts and is impacted by the activities of compliance functions, as well as information technology, legal, and internal audit. Connecting all these dots in such a manner that the organization understands exactly where to pull the brakes to keep risk in check, and where to step on the accelerator to drive business performance, is where GRC comes into play.
A truly robust and integrated GRC program rolls up risk and regulatory intelligence from across the enterprise to help stakeholders make faster, better business decisions. It enables companies to take smarter risks, build a culture of ethics and integrity, and keep pace with constant regulatory changes—all of which are strong competitive differentiators and performance drivers in today’s disruptive world.
That being said, an effective GRC program isn’t built overnight. It takes time and commitment, and is essentially a journey that companies embark on, moving gradually up the GRC maturity curve till they have a well-integrated, coordinated, and optimized GRC program in place.
Many organizations are well ahead on their GRC journey, while others are just starting out. Wherever you find yourself, here are a few critical success factors to keep in mind to optimize your GRC investments:
Successful GRC programs are those that are tightly aligned with the strategic objectives of the organization, and have clearly defined lines of accountability across GRC functions. The first step in that direction is to define a GRC charter that articulates the organization’s GRC vision and mission, objectives and goals, success criteria, roles and responsibilities, types of solutions and technology that will be used, and critical milestones for success. Understanding how each of these parameters roll back up to support the achievement of the organization’s strategic objectives will enable each GRC function to deliver better value to the business. It’s also important to remember that as strategic objectives change in response to internal or external events, GRC program charters need to be updated to avoid becoming redundant, and to continue focusing on the risks that matter to business strategy and decision-making.
GRC isn’t an isolated initiative, but a pervasive, enterprise-wide activity that starts at the top and percolates down across the organization. Therefore, for it to be effective, it needs to have the buy-in and support of the right people, ranging from executive sponsors, to business leaders and users, to enterprise architects and seasoned project managers. The key is to engage and lead conversations with stakeholders across the organization on the importance of an integrated, collaborative GRC program. Align the benefits of the program to the needs of each stakeholder. For instance, boards might want to know how a GRC program will give them timely visibility into the top risks facing the organization, and provide assurance that the business is operating well within its risk appetite. Similarly, CEOs might want to know how they can make better risk-informed decisions, and identify opportunities quickly. By understanding these needs, and clearly outlining how they can be met with an effective GRC program, it becomes easier to gain the right level of support and collaboration for GRC investments.
In many organizations, GRC functions such as Internal Audit, Risk Management, Legal, or Third-Party Management follow different operating frameworks and standards. They do things differently from each other with little, if any, collaboration between each function. However, GRC, by definition, is about integration and coordination. It needs to function like a well-oiled machine with different business functions managing their tasks independently but working in tandem, leveraging a common architecture and risk-control framework. This kind of a federated approach helps minimize redundancies in GRC activities, and strengthens collaboration across the organization. It enables everyone to begin speaking the same language, and therefore, makes risk reporting more integrated and harmonized. The end result is that executive leadership is able to make better, faster decisions, and respond more proactively to the most urgent risks affecting the organization.
To connect the dots between risks, compliance, and other GRC elements that impact business performance, organizations need to be able to build an integrated data model that aggregates distributed and disconnected information from across business silos, ties them together, and enables stakeholders to slice and dice this data from various perspectives.
Creating such a data model begins by mapping risks in a centralized risk library and common taxonomy. Once the risks have been integrated, they can be aligned to controls and control tests, risk metrics and what-if scenarios, issues and incidents, and other risk-control data. Gradually, the data model can be expanded out to include business processes and functions, strategic objectives, geographical regions, compliance regulations, audit findings, and external data such as regulatory alerts and risk ratings.
The result is a comprehensive, tightly-knit GRC data model that makes it easy for stakeholders to determine how, for instance, a new regulation impacts the organization’s risk profile, or how a third-party risk impacts strategic objectives. Essentially, an integrated information architecture delivers the visibility that organizations need to respond swiftly and effectively to the risks, opportunities, and business changes that occur across the enterprise.
Benchmark the organization’s GRC maturity level to understand the gaps that exist, and to determine what needs to be done to get to the next stage of the maturity curve. Gain consensus from stakeholders on what is required to close the gap between current and desired future GRC states.
Ensure that you have a well-defined GRC roadmap with high level estimates of effort and funding required for GRC processes, teams, and technology implementations.
Start with the highest priority initiatives (e.g. IT risk management) to realize value faster, and to set a solid GRC foundation.
Prepare for organizational change. An integrated GRC program requires time and effort from across the organization, but is worth it in the long run.
Communicate regular milestones and successes to stakeholders. Build in continuous improvements as the GRC program evolves and is rolled out across the enterprise.
Do define and prioritize GRC use cases clearly, focusing on the most important ones first
Do establish a GRC team with solid project management expertise
Do remember that effective GRC is a combination of people, processes, and technology, and not just one of them alone
Do establish clear lines of accountability and responsibility
Don’t apply technology as a substitute for good governance
Don’t expand the GRC program till you’ve learned lessons from the first phase of the project
Don’t forget to communicate the importance of a GRC program in driving business performance
Don’t let the GRC program become redundant – constantly revise GRC objectives and goals as the business changes
For too long, companies have struggled with spreadsheets and other manual tools that only serve to widen the silos between GRC functions, making it cumbersome for teams to combine and consolidate risk insights, while frustrating leadership teams who don’t get a unified, clear picture of the risks that they need to pay attention to.
Technology can help overcome these challenges by bridging the gaps between GRC functions, aggregating and correlating data in a single system of record, and automating various tasks, so that at the click of a button, companies have the GRC insights and intelligence they need to make informed decisions.
As the largest independent GRC company in the world, MetricStream provides a range of leading-edge GRC apps built on our new, fourth-generation GRC platform, M7. M7 combines the power of the cloud, mobility, and big data analytics to make GRC simple and engaging. Using M7, you can:
Manage internal audits, compliance, enterprise risk management, IT risk and compliance management, threat and vulnerability management, and more – all in an integrated, automated, and streamlined manner
Gain a clear and comprehensive view of the organization’s risk and compliance profile through a comprehensive, tightly mapped GRC data model
Transform raw GRC data swiftly into valuable business intelligence to inform strategy and decision-making
Provide a single system of record for Risk, Compliance, Audit, and other business functions to collaborate and communicate seamlessly
A user experience that is intuitive, engaging, and personalized
Configurability, delivering GRC how you need it
Mobility and layering that brings GRC to where you are
Reporting and analytics for better insights and better decisions
Architecture that is faster, leaner, and ready for the future
MetricStream, the independent market leader in enterprise and cloud applications for Governance, Risk, Compliance (GRC) and Quality Management, makes GRC simple. MetricStream apps improve business performance by strengthening risk management, corporate governance, regulatory compliance, vendor governance, and quality management for hundreds of thousands of users in dozens of industries, including Financial Services, Healthcare, Life Sciences, Energy and Utilities, Food, Retail, CPG, Government, Hi-Tech and Manufacturing. MetricStream is headquartered in Palo Alto, California, with an operations and R&D center in Bangalore, India, and sales and operations support in 12 other cities globally. (www.metricstream.com)