Software applications for managing governance, risk and compliance (GRC) continue to mature with impressive features and functions. Even more impressive are the organizational and strategic advancements companies are making by closely linking these three traditionally distinct functions; benefits include reduced risk exposure, lower audit costs, better overall compliance and more informed decision making.
As with most ambitious, enterprise-wide initiatives, implementing an enterprise GRC program requires a coordination of different and sometimes opposing objectives, expectations and resources. However, there are a few key best practices that can help to prove these efforts successful.
Best practice No. 1: Become a GRC salesperson
Knowing that the success of any broad GRC implementation requires executive sponsorship, as well as participation from business process owners, it is important to anticipate opposition and obstacles.
The vast majority of people that must be convinced to get involved with GRC are comfortable with their existing processes. In many cases, they have a good idea of what issues might negatively impact their processes and how to possibly avoid such issues. So, when selling the benefits of GRC, use existing processes as a starting point and identify opportunities to automate, phase out or combine inefficient tasks. Some reorganization might be helpful, but whenever possible, focus first on improving the way things are currently done.
GRC: Over-Hyped or Legit?
- Governance, risk and compliance (GRC) is often tagged onto various products, but make sure you know what you're getting when vendors make those claims.
The benefits of GRC will differ for various departments and business groups. Legal and compliance professionals may gain the most from a single repository for regulations and policy documentation, while operational risk professionals will look for standardization of risk assessments. It will certainly take more effort to develop unique selling propositions for individual stakeholders, but the top objective should be to assure buy-in from those that might otherwise prove skeptical.
Best practice No. 2: Remember the basics of project management
Without a cohesive vision and reasonable expectations, projects can easily get sidetracked, lose steam or fall short of their potential. It's not uncommon to hear about implementations that began as quick point projects being scrapped a year later when the company wants a robust, full-featured system for a more comprehensive GRC program.
Remember the basics of project management. It's imperative to set and track objectives, milestones and deliverables; it's not enough to have initial buy-in from executive sponsors and business process owners. These stakeholders will want to understand what they can get out of an enterprise GRC program and when. Without the ability to show progress against objectives and value delivered at steps along the way, any supporters you've mustered may quickly lose interest.
The milestones usually start in two-to-three month intervals and extend in increasingly larger intervals to about three years. They don't have to be complicated, but they should be specific. For example, many companies track the number of business processes covered or the degree of business user participation in the GRC program to demonstrate how much of the business it supports.
Also, use a phased approach with proofs of concept. Widespread GRC projects that launch simultaneously across the entire organization are less likely to succeed because of the large hurdles of investment, coordination and uncertainty. Successful implementations almost universally start with one or two key areas and work their way into others once the first few demonstrate success.
And, with any initiative that requires significant investments of time and money, make sure the program will continue to be successful after it's up and running. As the business grows, as the regulatory environment evolves, and as the GRC program faces new organizational challenges, plans must be in place for addressing changes.
Best practice No. 3: Embed GRC into the culture
Selling key stakeholders on the business value of GRC and having an airtight project plan will get the process rolling, but true success in GRC can only occur if it's ingrained within the culture of the organization.
Frequent communication is key. A typical GRC program will include your immediate team, executive sponsors, a cross-functional committee, business process owners, and the widespread mass of casual users. All of these groups must know information specifically relevant to them in order to maintain the momentum of the implementation, demonstrate ongoing success and encourage continued participation.
Communication alone, however, will not be enough to facilitate participation. It's important to find ways to encourage and ingrain GRC into standard operations. The key here is to find ways that these changes can help improve other aspects of the business as well. For example, tracking risk incidents and root causes will help business process owners focus on fixing systemic problems that might lead to issues such as customer complaints, product recalls, privacy breaches or regulatory enforcement actions.
Practice openness and flexibility. As in any major undertaking, there will be changes and mistakes threatening to derail the program. It's especially important to encourage employees to uncover issues, raise concerns, and be honest when things are going wrong. Building flexibility into the plans will help you continue to achieve milestones even when the unexpected occurs — and achieving milestones always helps assure ongoing support and participation.
Don't miss need-to-know info!
- Security pros can't afford to be the last to know. Sign up for email updates from SearchSecurity.com and you'll never be behind the curve!
About the author:
Chris McClean is an analyst at Cambridge, Mass.-based Forrester Research where he serves security & risk professionals. He leads the company's coverage of governance, risk, and compliance and will be speaking at Forrester's Security Forum 2009, September 10-11, in San Diego.