Governance, Risk and Compliance management can become a large and unwieldy project to oversee due to the sheer volume of corporate information, regulations, policies, controls and groups involved across an enterprise. Knowledge Center contributor Matt Caston explains the steps your enterprise can take to achieve a successful GRC management implementation.
Coming to grips with a new market can sometimes feel like drowning in a sea
of acronyms-"my G is your R is their C"-as in the case of
governance, risk and compliance management. Vendors and analysts alike spend
considerable energy trying to define both the individual elements and
overarching goals of GRC, but they also try
to do so in a differentiated way. As a result, organizations may spend as much
time trying to understand these acronyms and definitions as they do mapping
them to their own needs.
What is often lost in the discussion, however, is the recognition that
while governance, risk and compliance are interconnected, the entry point to GRC
doesn't need to cover all three areas. Understanding how GRC
solutions can solve tactical problems is not as hard as you may think. With
thoughtful planning, the benefits of GRC can
be realized in a more efficient and cost-effective manner.
To achieve a successful GRC
implementation, there are five key steps to take. First, define what GRC
means to your organization. Second, survey your organization's regulatory and
compliance landscape. Third, determine the most logical entry point and develop
a phased approach. Fourth, establish a clear business case, considering both
short-term and long-term value. And fifth, determine how success will be
measured. Let's take a look at each of these five key steps in greater detail.
Step No. 1: Define what GRC
means to your organization
In most cases, there are many players involved in developing and
implementing a GRC strategy. Before heading
down a path solo, any GRC project leader
should first work closely with the groups that will benefit most from a
streamlined GRC program. These groups
include the legal, internal and IT audit, as well as the corporate ethics and
The primary goal at this stage is to establish a common GRC
lexicon. Essentially, the groups need to come to agreement on what GRC
means to the organization as a whole. Taking this initial step will greatly
reduce confusion, particularly as compliance and regulatory priorities are
evaluated by the team. Consider this phase a fact-finding mission too, since
there may be particular departments that can further support the program with additional
financial, people or time resources.
Step No. 2: Survey your organization's compliance and regulatory
Even the most mature organizations have trouble answering the question,
"How many regulations and associated controls do we manage?" As a
result, don't be surprised if it takes a bit of time and effort to complete an
initial survey. This is one of the most critical steps in getting started and
will be a major factor in building a successful business case for a
comprehensive GRC program.
A key step here is to look at the big picture. It's easy to focus on just
the most visible requirements of the Sarbanes-Oxley Act, HIPAA (the Health
Insurance Portability and Accountability Act), GLBA (the Gramm-Leach-Bliley Act)
and PCI DSS (the Payment Card Industry Data
Security Standard). Yet, when it comes to GRC,
the surveying process may help uncover disproportionate investments in certain
requirements (such as an unnecessary focus on state and local or international
regulations). Capturing these requirements during the survey process provides a
much clearer view into the existing investments in regulatory compliance, and
will help the GRC project leader determine
areas of potential cost savings or additional investment.