Governance, risk, and compliance (GRC) as a means to reduce process redundancy, deliver risk intelligence, and improve business performance has captured the attention of leadership teams across the enterprise. GRC is also now embracing IT and security teams, often catching them unprepared to champion their unique requirements.
So, what’s the impact of GRC in terms of how we manage IT and security programs? The impact can be significant according to Yo Delmar, vice president of GRC Solutions, MetricStream; a GRC program can bring great benefits, or major woes, if not approached with the right goals clearly in sight. IT and security teams need to be actively engaged at the table, collaboratively shaping the GRC program scope in order to create real value.
Click through for five important steps for shaping the GRC program scope in order to create real value, as identified by Yo Delmar, vice president of GRC Solutions, MetricStream.
Managing GRC as a program recognizes that the effort is a journey and not a destination. This journey typically begins with several key sponsors, and then slowly expands across silos, consolidating efforts around issue management, and other priority initiatives, such as policy management, compliance, risk management, operational risk management, ethics, quality, supplier governance, information technology and security.
The GRC journey rests on a vision of moving up the maturity curve until all aspects of governance, risk and compliance are addressed. Remember – a program is a group of related projects managed in a coordinated way to obtain the benefits and control not usually offered when managing the projects individually. Managing GRC as a program allows teams to evolve the program across various stages to accelerate time to value.
Defining a GRC Program strategy is all about understanding the scope, vision and mission, as well as the program goals and supporting strategies. Getting this right depends on a practical stakeholder analysis of key needs. IT and security need to bring their goals to the table early on in the process, making the clear case for extending the GRC program and any GRC technology platform or tools to support a technology asset model for cloud, virtual and physical devices, along with integrations into IT and security monitoring systems.
Too often, GRC Programs are built on a foundation that ignores the assets and the detailed technical policies that make IT and security teams tick – don’t let your GRC program fall into that trap! Without near-real-time consolidating, monitoring and analysis at the application, data and infrastructure level, GRC processes for risk and compliance management won’t do much to help IT and security teams.
It’s also important to understand and assess key IT and security process maturity against the desired future state in order to realistically distinguish between aspiration and what is actually practical in terms of short and medium-term executable goals. Providing a gap analysis to strategic initiatives and defining the various steps required to achieve the desired target state is critical. For example, short-term goals may include automating risk assessments using a common risk and control framework, integrating the results of continuous controls monitoring for threats and vulnerabilities into risk assessments, or supporting a common workflow for the remediation of issues.
Finally, as part of the strategy, the GRC program governance model should be clearly defined with accountabilities and frameworks for making decisions on the program itself. Implement “active,” not “passive,” governance, where the right key stakeholders such as IT, security, audit and risk management are engaged and aligned early on in the program.
Designing a GRC program is all about creating a common GRC ontology, defining GRC use cases, and understanding how the GRC technology eco-system will be leveraged to bring the right information and analytics together to improve business performance. Ontology means getting granular on risk appetite – yes, while this is difficult, it is not impossible to define! It also means determining what information will be shared across common libraries of processes, risks and controls. Ontology also means defining the risk hierarchy, risk analysis methods, risk calculations for rollups and finally, risk metrics.
Ultimately, achieving apples-to-apples comparisons depends on the organization’s ability to adopt a shared ontology and enterprise model with standard names for business units, identities and infrastructure elements. In the short term, this may be a matter of balancing common and federated processes for risk identification, risk analysis and remediation processes as the organization evolves to deploying a GRC platform as a single system of record and single version of truth.
GRC process analysis also involves ranking and prioritizing use cases, determining dependencies, and building a reasonable investment analysis that can be used to make decisions on where to start. Beyond the basic IT GRC-use cases for IT and security policy management, controls testing, and assessments for apps, systems, facilities and vendors, the IT team absolutely needs to be proactively engaged in mapping out the GRC technology eco-system and architecture. This eco-system and architecture should be designed keeping in mind the context of today’s global, virtual, mobile eco-system, integrating IT and security systems for continuous controls monitoring, and considering the various challenges that may arise in a hybrid cloud environment.
GRC Program implementation planning is all about developing a multi-year roadmap with the right gating factors, supported by a rolling 12-month action plan. Often your organization’s program management office (PMO) will be involved, helping to define project dependencies, charters, critical milestones and decision criteria. It is important to define the appropriate GRC program team structure, roles, and responsibilities, assign the right resources, and provide a solid onboarding program for new team members, users and stakeholders as the program rolls out. The team may grow over time, so advanced thinking and planning as to when new resources will be needed will be critical to the program’s success.
At the IT level, it is critical to ensure that GRC program deployments are integrated in your organization’s system development life cycle (SDLC), mapped into your organization’s IT processes for ongoing architecture and security reviews, and supported both internally and also with any external GRC vendors you have partnered with.
Remember, GRC programs allow an organization to manage its most urgent business, IT and security risks across the silos, providing the dual benefit of reduced risk through better visibility and context, as well as lowered costs through a consistent framework and methodology. Make sure your implementation plan is designed to actually deliver and communicate these benefits over time.
Once your GRC program has launched, it needs proper care and attention in order to continue to grow and deliver real value for the organization. Ensure that key GRC program stakeholders have the right level of program visibility, and are able to help the team meet challenges on an ongoing basis. Continuous program improvement means keeping your eye on the goal posts, and taking advantage of opportunities to adapt the program, and course-correct in real time to accelerate time to value.
It is also important to take time to reassess the GRC program strategy annually. Start by asking the program team questions like: How is the GRC vision unfolding to support IT and security? Do our priorities need to change? How might evolving organizational strategy, structure, partners and technologies drive changes to our GRC program scope and goals?
In conclusion, remember that GRC program team members are “secret agents of change” that help the organization streamline and implement new processes, roles and decision-support. This is a cultural shift moving up the GRC maturity curve as much as it is operational change and technology deployment. IT and security is infused in almost every business process, and is integral to GRC program success. So remember, keep your change management hat on, with your ultimate mission stamped into the brim – “Reduce Risk and Improve Business Performance!”