Building the Right Foundation for Governance, Risk, and Compliance (GRC)

Email     |    
1 | 2 | 3 | 4 | 5 | 6 | 7
Next Building the Right Foundation for Governance, Risk, and Compliance (GRC)-5 Next

Speaking the lingua franca of business objectives & risks

A common set of clearly articulated and measurable business objectives goes a long way in ensuring organizational alignment and eventual attainment of the goals. Documenting these business objectives within GRC enables organizations to proactively measure risk and put controls in place to reduce the risk of missing the objectives. In other words, if 'The Wide World of Bananas, Inc.' identified a business objective to sell 50 percent more bananas in Europe within a year, they would be well served to measure the risks that might prevent them from attaining that objective, and then putting preventive controls in place to mitigate that risk.

And this brings us to the risk library. This is one of the central components of a GRC foundation and it is important to take the long view when planning out a risk library for your organization. Typical risk libraries are hierarchical in nature with six to 10 risks at Level 1 and three to 10 sub-risks at any given level. A risk library may be anywhere from one to four levels deep. Anything beyond three to four levels of hierarchy starts becoming far too granular and then you're left 'sweating the small stuff' – like whether you should package 12 or 13 bananas in a box.

While designing the risk library, note that types of risk assessments as performed by different business groups may be performed at differing levels of the risk hierarchy. For instance, enterprise-level risk assessments may be conducted on organizations by reviewing just the six to 10 Level 1 risks. On the other hand, an IT organization conducting IT risk assessments may assess risk to critical business processes by measuring more granular risks at (say) Level 3 of the risk hierarchy.

Lines of businesses, legal entities, functions, people, business processes, risks, controls, products, projects, programs, strategic initiatives, servers, facilities, suppliers – the business of doing business is complicated. And if we are to create a well-governed and risk-aware organization that reaches for the sky on the shoulders of GRC, then we need a simple and consistent way to handle all this complexity. Furthermore, as with all foundations, creating it requires a solid understanding of what we're going to put on top of it. So, a comprehensive GRC foundation will need to be informed by GRC activities such as policy management, risk management, supply chain governance, IT risk, security, etc., so that it, in turn, can support all these activities with a common framework.

Before we get ahead of ourselves, if you're still wondering what 'GRC' is, then here's a quick introduction to the topic. OK, with that out of the way, let's move on and enlist the help of our friendly neighborhood banana company, 'The Wide World of Bananas, Inc.' to be our role model for the day. "Why 'bananas'" you say? Well, that's easy – because they are yellow, healthy and such a fun fruit! And, like the banana, the business of growing and delivering them to your friendly neighborhood grocer hides more complexity than the surface lets on.

In this slideshow, Vasant Balasubramanian, vice president of product management at MetricStream, takes a closer at building a strong foundation for GRC.


Related Topics : A Big Market for Big Data Jobs, Midmarket CIO, IT Management Automation, SharePoint, Technology Markets

More Slideshows

gig economy How the Gig Economy Is Changing the Tech Industry

The gig economy is clearly disrupting the tech industry, both in positive and negative ways. ...  More >>

Fake news How Can We Fix the Fake News Problem?

Is fake news a security issue? Some say yes, as it can be used as a social engineering tool to spread disinformation and conceivably to get unsuspecting users to click on malicious links. ...  More >>

IT security skills 7 Top Skills for Security Pros

Executives at several top tech firms outline the skills they need now and in the near future, including IaaS and IoT security expertise. Other skills listed may surprise you. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


By submitting your information, you agree that itbusinessedge.com may send you ITBbusinessEdge offers via email, phone and text message, as well as email offers about other products and services that ITBbusinessEdge believes may be of interest to you. ITBbusinessEdge will process your information in accordance with the Quinstreet Privacy Policy.

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.