Building the Right Foundation for Governance, Risk, and Compliance (GRC)

1 | 2 | 3 | 4 | 5 | 6 | 7
Next Building the Right Foundation for Governance, Risk, and Compliance (GRC)-6 Next

And everything else…

In addition to these basic elements, other components of a GRC foundation may include business processes, functions, assets, asset classes, suppliers, services, products, projects, programs, etc. The specific choice of which of these components make it into your GRC program and when depends on the order in which you fold in additional GRC activities and programs along your GRC journey.

And, lastly, any conversation of a GRC foundation would be incomplete without talking about relationships between the different data libraries. For instance, one or more business processes reside in one or more organizations. One or more IT assets may support one or more of these business processes. One or more controls may apply to one or more of these IT assets, and so on. Decisions about which relationships are relevant and important to put in place, again, depend on the order in which your GRC journey unfolds. For instance, our banana company will likely start off modeling shipping providers and connecting them to granular Level 3 risks under a Level 2 risk called 'shipping.' Subsequently, as the IT team comes on board the GRC program, they will map assets and asset classes to the same risk library … but to Level 3 risks under the 'information technology' Level 2 risk. And so on.

To be sure, it is unlikely that you will start on all the different GRC foundational components that we discussed here because your GRC activities will likely evolve in phases over time, giving each phase time to be absorbed by the organization, and in turn informing the next phase. However, it is important to have a vision for where your GRC journey will eventually take you and ensure that you are making the right decisions upfront that will bring you to success on that journey without too many deviations. With a little planning upfront, that bright yellow glow in the distance may be a bright new tomorrow … or a big pile of bananas, depending on your point of view.

Lines of businesses, legal entities, functions, people, business processes, risks, controls, products, projects, programs, strategic initiatives, servers, facilities, suppliers – the business of doing business is complicated. And if we are to create a well-governed and risk-aware organization that reaches for the sky on the shoulders of GRC, then we need a simple and consistent way to handle all this complexity. Furthermore, as with all foundations, creating it requires a solid understanding of what we're going to put on top of it. So, a comprehensive GRC foundation will need to be informed by GRC activities such as policy management, risk management, supply chain governance, IT risk, security, etc., so that it, in turn, can support all these activities with a common framework.

Before we get ahead of ourselves, if you're still wondering what 'GRC' is, then here's a quick introduction to the topic. OK, with that out of the way, let's move on and enlist the help of our friendly neighborhood banana company, 'The Wide World of Bananas, Inc.' to be our role model for the day. "Why 'bananas'" you say? Well, that's easy – because they are yellow, healthy and such a fun fruit! And, like the banana, the business of growing and delivering them to your friendly neighborhood grocer hides more complexity than the surface lets on.

In this slideshow, Vasant Balasubramanian, vice president of product management at MetricStream, takes a closer at building a strong foundation for GRC.


Related Topics : A Big Market for Big Data Jobs, Midmarket CIO, IT Management Automation, SharePoint, Technology Markets

More Slideshows

gig economy How the Gig Economy Is Changing the Tech Industry

The gig economy is clearly disrupting the tech industry, both in positive and negative ways. ...  More >>

Fake news How Can We Fix the Fake News Problem?

Is fake news a security issue? Some say yes, as it can be used as a social engineering tool to spread disinformation and conceivably to get unsuspecting users to click on malicious links. ...  More >>

IT security skills 7 Top Skills for Security Pros

Executives at several top tech firms outline the skills they need now and in the near future, including IaaS and IoT security expertise. Other skills listed may surprise you. ...  More >>

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.