Building the Right Foundation for Governance, Risk, and Compliance (GRC)

1 | 2 | 3 | 4 | 5 | 6 | 7
Next Building the Right Foundation for Governance, Risk, and Compliance (GRC)-2 Next

Can't I just build a wall first and worry about the foundation later?

No. Not really.

There are three primary reasons for spending some time upfront developing your GRC foundation:

  1. Create a simple model of a complex business: Large bananas, small bananas, plantations, workers, weather, fertilizer, transportation, financial data, IT assets, facilities, etc. – working with 'The Wide World of Bananas, Inc.' example – the business of doing business is not easy. Factor in all the banana peels dropped by workers snacking on bananas on the sly and this makes for a very complex and risky work environment. A simple GRC foundation data model based on best practices allows you to reduce all the complexity into well-defined libraries (risks, organizations, processes, etc.) with clear relationships between them.
  2. Create consistent language and terminology: We are a banana company! Let's make sure that we're all talking about bananas and bananas alone. No oranges, no pomegranates and no onions either. In other words, if we're talking about our products, let's make sure that we're all talking about the same set of products. If we're talking about risks, let's make sure that we're looking at them consistently. The risk of business data loss is the same risk whether it is in a line of business or whether it is in HR. The impact and implications are different in each case, but the risk is the same.
  3. Properly support downstream GRC activities: Say we start building GRC out in the group that ships bananas worldwide. Their risk library likely starts off with Level 1 risks for weather, shipping delays, improper packaging, etc. Say we go ahead and implement this as our risk library at first, and then along comes the CIO looking to implement an IT risk program. As the CIO's team starts thinking about IT risks, they suddenly find the first level of the risk library full of low-level shipping-related risks. The answer, of course, is that the organization should have anticipated future growth and placed the detailed shipping risks at (say) Level 3 under 'shipping' as a Level 2 risk and 'operations' as a Level 1 risk. This would have allowed the IT group to subsequently create an 'information technology' Level 2 risk under 'operations.'

Lines of businesses, legal entities, functions, people, business processes, risks, controls, products, projects, programs, strategic initiatives, servers, facilities, suppliers – the business of doing business is complicated. And if we are to create a well-governed and risk-aware organization that reaches for the sky on the shoulders of GRC, then we need a simple and consistent way to handle all this complexity. Furthermore, as with all foundations, creating it requires a solid understanding of what we're going to put on top of it. So, a comprehensive GRC foundation will need to be informed by GRC activities such as policy management, risk management, supply chain governance, IT risk, security, etc., so that it, in turn, can support all these activities with a common framework.

Before we get ahead of ourselves, if you're still wondering what 'GRC' is, then here's a quick introduction to the topic. OK, with that out of the way, let's move on and enlist the help of our friendly neighborhood banana company, 'The Wide World of Bananas, Inc.' to be our role model for the day. "Why 'bananas'" you say? Well, that's easy – because they are yellow, healthy and such a fun fruit! And, like the banana, the business of growing and delivering them to your friendly neighborhood grocer hides more complexity than the surface lets on.

In this slideshow, Vasant Balasubramanian, vice president of product management at MetricStream, takes a closer at building a strong foundation for GRC.


Related Topics : A Big Market for Big Data Jobs, Midmarket CIO, IT Management Automation, SharePoint, Technology Markets

More Slideshows

gig economy How the Gig Economy Is Changing the Tech Industry

The gig economy is clearly disrupting the tech industry, both in positive and negative ways. ...  More >>

Fake news How Can We Fix the Fake News Problem?

Is fake news a security issue? Some say yes, as it can be used as a social engineering tool to spread disinformation and conceivably to get unsuspecting users to click on malicious links. ...  More >>

IT security skills 7 Top Skills for Security Pros

Executives at several top tech firms outline the skills they need now and in the near future, including IaaS and IoT security expertise. Other skills listed may surprise you. ...  More >>

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.