Governance, risk and compliance (GRC) management is becoming increasingly integrated across a wide and expanding set of use cases — moving beyond traditional risk management and into regulatory compliance, audit, third-party management, ethics and compliance, privacy, quality management, environmental health and safety, cybersecurity, business resilience and more. In OCEGs’ 2015 GRC Maturity Survey, over 50 percent of organizations surveyed stated they are executing on an integrated GRC vision and over 80 percent claim that benefits realized have met or exceeded their expectations.
The core promise of a GRC program that integrates needs across all stakeholders is better business performance – a prerequisite for survival in today’s highly competitive world. As a result, leaders across the enterprise are asking for help in setting the vision, plotting the course and implementing integrated programs that deliver real value to all organizational units. While many organizations have seen benefits from their GRC investments, building the case for business value is fundamental in getting commitment to put a high-value, sustainable GRC program in place.
Experience shows us that those organizations that manage GRC as an integrated program — involving people, processes and technologies — are more successful in delivering value to their organizations than those that simply focus on deploying technology or processes alone. An effective GRC program helps to accelerate organizational readiness and improve business performance by focusing equally on people, processes and technology. Successful programs effectively address the core elements of strategy, design and implementation — often running key initiatives concurrently in multiple work streams, each at different stages of completion.
In this slideshow, Yo Delmar, MetricStream, provides practical advice that organizations can leverage, whether building a business case for integrated GRC or expanding an existing program into a new domain. The slideshow covers key benefits and considerations when launching a GRC program, conversations that you must have with stakeholders on their GRC needs, how to factor maturity and readiness of use cases into the overall business case, the importance of grounding a business case in a realistic roadmap and finally, putting it all together in a living benefits statement.
Practical Advice for Building a GRC Program
Click through for tips organizations can use to develop or expand an integrated GRC program, as identified by Yo Delmar, MetricStream.
Key Benefits of a GRC program
Business value ultimately depends on the vision and scope of the GRC program, organizational readiness and speed of deployment. The goal of most organizations is to optimize business value by choosing the level of investments across a portfolio of initiatives that supports strategic objectives.
“Time to value” is a key concept when considering the business case: How long will it take to realize benefits, given the maturity of current processes and the effort required to make required changes in people, processes and technology? In many use cases, the need for cross-functional collaboration is high; benefits may be hard to realize if the effort to gain consensus affects the ability of the team to deliver. As a result, it’s critical to sequence initiatives thoughtfully so that the program begins on a strong foundation and delivers early successes that build momentum for support and commitment. It’s also important to remember that business value is ongoing – it accrues over years with substantial returns stacking up as adoption grows and processes are continuously improved. As a result, it is important to document anticipated and realized benefits in a living benefits statement that acts as a testimony to the value of the GRC program.
Key Benefits of a GRC program
So, what are the key benefits of an integrated GRC Program? For most risk, business and technology leaders, the commitment to an integrated GRC program is based on three main benefit categories:
- Lower risk: An integrated GRC program allows organizations to reduce risk by providing visibility into and context around the most urgent business risks across finance, legal, compliance, operations and technology business units — and externally into third parties, suppliers and customers.
- Gain efficiency and lower costs: Managing GRC as a program allows organizations to gain efficiencies and lower costs by leveraging a consistent risk and control framework, collaboration approach and overall methodology.
- Effective governance and reporting: Organizations that focus on orchestrating GRC as a program are able to report the right information to the right people, at the right time. A common classification and reporting framework supports a clear understanding of the information and analytics required for the board, regulators, leadership, external and internal stakeholders to make the decisions they need to improve business performance.
Stages of Maturity
GRC program execution is a journey. It often begins with consolidating efforts around priority initiatives such as enterprise risk management, privacy, security or corporate compliance and grows to embrace new stakeholders and use cases — often involving business resilience, cybersecurity, third parties, suppliers and customers.
Most organizations are moving up a maturity curve in their GRC program execution, straddling between the risk-identification stage — where information is siloed and fragmented, risk management is mostly qualitative and compliance management is cumbersome — and the risk analytics stage — where an aggregated, prioritized view of risk is achieved. The goal, however, is to get to a more proactive stage where risk intelligence is supporting active decision-making through integrated, well-orchestrated processes.
Stages of Maturity
Here are some key factors to consider while preparing to launch a GRC Program:
- Have stakeholders identify the highest priority initiatives that are aligned with both strategic objectives and operational activities.
- Understand the maturity and readiness of the organization as a whole, as well as the business units that will be deploying high-priority initiatives.
- Gain consensus from the right set of stakeholders on what will be required to close the gap between current and desired future states.
- Establish the right governance model for the program with the required executive commitment and funding to provide the right resources to make the program a success.
- Ensure you have a well-defined roadmap with high-level estimates of effort and funding required for initiatives and technology implementations.
- Prepare for organizational change – integrated GRC requires teamwork and results in valuable transformation.
- Finally, remember to communicate success out to stakeholders and build continuous improvement as the GRC program evolves and rolls out.
Critical Success Factors
Business value is ultimately tied to business performance. Successful GRC programs will be tightly aligned with strategic objectives of the organization, and have the engagement of the right stakeholders across IT, security, enterprise and operational risk, ethics and compliance, audit, legal and operations.
One of the first efforts in establishing a program is to gain consensus on vision, mission and core goals. This will evolve through collaboration with stakeholders that see the value in being part of an integrated program.
Critical Success Factors
Here’s an example of an integrated GRC program vision and purpose statement:
The vision of <organization’s> GRC Program is to measurably improve business performance of the organization by providing high-value, risk intelligence that proactively decreases exposures while increasing efficiencies through active governance.
The main purpose of the GRC Program is to provide advisory, innovative and reliable services that enable and support integrated and pervasive governance, risk and compliance processes for each of its stakeholder groups.
Critical Success Factors
Once your program vision and purpose are defined, it’s important to understand critical success factors for people, processes and technology, as well as disruptors that can impede the success of the program. Here’s a sample of critical success factors to use to rate your organization or business unit:
- Executive commitment and a governance process for the GRC program
- Strong stakeholder relationships (IT, security, business, audit, legal, finance)
- Maturity and capability/best practice assessments against peers
- Commitment to building a common policy, risk and control framework
- Commitment to streamlining/synthesizing GRC processes
- Ability to integrate IT and security monitoring and management systems
- Common GRC management platform and apps
Assessing Stakeholder Needs and Readiness
To build out detailed priorities and goals for the GRC program, you will need to engage in and lead conversations that will help to develop and drive a sustainable, cross-functional set of initiatives. As an example, the board and senior management will require a clear and conformed view of risk across the organization, critical to defining and achieving strategic objectives. Dialogue will be required around defining risk appetite and institutionalizing a risk culture across the organization, including ways to enable individuals to act within boundaries to reduce the risk of noncompliance and adverse outcomes. Risk leaders will need to drive collaboration with other key functional executives and professionals in the execution of an integrated strategy supported by a high-value distributed program. In particular, the team will need to not only identify downside risks, but also continuously identify opportunities for the organization to execute on its strategic and operational objectives.
A table is available for free download that outlines the top needs of each stakeholder group that can help guide your conversations on priorities and needs for the GRC program.
Building a Roadmap
There are many considerations that come into play when developing a GRC program roadmap that has multiple tracks that may span several years, each of which will yield a different stream of benefits. Each initiative will have its own project dependencies, charters and critical milestones. When planning, consider the following:
- Build initiatives and apps that will provide the fastest ”time to value”
- Understand dependencies and prerequisites and think about how shared GRC information will expand with each project initiative.
- Leverage new information available across dashboards and metrics to realize more value and wider adoption.
- Consider new apps and leave room for innovation.
- Understand the organization’s information technology roadmap and build new features or data that may be integrated with upgrades from source systems.
- Leverage new information and best practice content that can be used as a reference as it becomes available.
- Remember to build in time to take in new risk platform and app features.
- Create both a 12-month action plan and a multi-year view to match to the planning horizon (two to three years), including project dependencies, charters and critical milestones.
- Plan for onboarding new stakeholders into governance and working groups with each new initiative.
Putting It All Together in a Living Statement of Benefits
Once you have a roadmap that sequences key initiatives, you can begin to build a multi-year business value summary (a sample summary is shown above). It will be important to make this a living document that shows what benefits have been realized as each initiative is launched and fully adopted.
Collaborating with a community of peers to leverage best practices and experiences can serve you well and set you up for success as you continue along your GRC journey. Remember, it takes hard work, focus and teamwork, but the payoff can be huge. By building an integrated GRC program with supporting frameworks, processes, governance, information architecture and working groups, organizations can achieve better business performance.