Coming to grips with a new market can sometimes feel like drowning in a sea of acronyms-"my G is your R is their C"-as in the case of governance, risk and compliance management. Vendors and analysts alike spend considerable energy trying to define both the individual elements and overarching goals of GRC, but they also try to do so in a differentiated way. As a result, organizations may spend as much time trying to understand these acronyms and definitions as they do mapping them to their own needs.
What is often lost in the discussion, however, is the recognition that while governance, risk and compliance are interconnected, the entry point to GRC doesn't need to cover all three areas. Understanding how GRC solutions can solve tactical problems is not as hard as you may think. With thoughtful planning, the benefits of GRC can be realized in a more efficient and cost-effective manner.
To achieve a successful GRC implementation, there are five key steps to take. First, define what GRC means to your organization. Second, survey your organization's regulatory and compliance landscape. Third, determine the most logical entry point and develop a phased approach. Fourth, establish a clear business case, considering both short-term and long-term value. And fifth, determine how success will be measured. Let's take a look at each of these five key steps in greater detail.
Step No. 1: Define what GRCmeans to your organization
In most cases, there are many players involved in developing and implementing a GRC strategy. Before heading down a path solo, any GRC project leader should first work closely with the groups that will benefit most from a streamlined GRC program. These groups include the legal, internal and IT audit, as well as the corporate ethics and risk groups.
The primary goal at this stage is to establish a common GRC lexicon. Essentially, the groups need to come to agreement on what GRC means to the organization as a whole. Taking this initial step will greatly reduce confusion, particularly as compliance and regulatory priorities are evaluated by the team. Consider this phase a fact-finding mission too, since there may be particular departments that can further support the program with additional financial, people or time resources.
Step No. 2: Survey your organization's compliance and regulatory landscape
Even the most mature organizations have trouble answering the question, "How many regulations and associated controls do we manage?" As a result, don't be surprised if it takes a bit of time and effort to complete an initial survey. This is one of the most critical steps in getting started and will be a major factor in building a successful business case for a comprehensive GRC program.
A key step here is to look at the big picture. It's easy to focus on just the most visible requirements of the Sarbanes-Oxley Act, HIPAA (the Health Insurance Portability and Accountability Act), GLBA (the Gramm-Leach-Bliley Act) and PCI DSS (the Payment Card Industry Data Security Standard). Yet, when it comes to GRC, the surveying process may help uncover disproportionate investments in certain requirements (such as an unnecessary focus on state and local or international regulations). Capturing these requirements during the survey process provides a much clearer view into the existing investments in regulatory compliance, and will help the GRC project leader determine areas of potential cost savings or additional investment.