Five Steps to Effective GRC


As compliance efforts are increasingly swallowed by larger governance and risk management initiatives, more companies are looking to install comprehensive GRC software systems. What better, then, than a nice guide to successful GRC implementations? That's exactly what CA's Matt Caston gives us in an eWEEK piece posted Wednesday.


Caston breaks the process into five steps -- and I'm paraphrasing here:


1) Define GRC for your company.


2) Get a handle on the organization's regulatory and compliance requirements.


3) Start where it's most logical and gradually phase in the rest.


4) Build the business case based on short- and long-term value.


5) Decide how to measure success vs. failure.


Caston points out that creating "a common GRC lexicon" for those who will be using the system is key. Vendors often have different definitions of each of the components, so it's best to sit down with legal, internal and external audit, and corporate ethics and risk management folks and decide what the terms mean for your organization. That will streamline the rest of the process, he suggests.


As for "surveying your current regulatory environment," it's important to look at the big picture, Caston says. That way, rather than just seeing the most visible requirements, you can look at all of them and figure out whether one area or another is soaking up too much time or money.


For a lot of companies, Caston says the most logical starting place when implementing GRC tools is compliance management:

Many enterprises are struggling with the growing complexity of regulatory compliance. Additionally, compliance management-while sometimes costly to initiate and sustain-can be leveraged for process improvement.