Coming to grips with a new market can sometimes feel like drowning in a sea of acronyms-“my G is your R is their C”-as in the case of governance, risk and compliance management. Vendors and analysts alike spend considerable energy trying to define both the individual elements and overarching goals of GRC, but they also try to do so in a differentiated way. As a result, organizations may spend as much time trying to understand these acronyms and definitions as they do mapping them to their own needs.
What is often lost in the discussion, however, is the recognition that while governance, risk and compliance are interconnected, the entry point to GRC doesn’t need to cover all three areas. Understanding how GRC solutions can solve tactical problems is not as hard as you may think. With thoughtful planning, the benefits of GRC can be realized in a more efficient and cost-effective manner.
To achieve a successful GRC implementation, there are five key steps to take. First, define what GRC means to your organization. Second, survey your organization’s regulatory and compliance landscape. Third, determine the most logical entry point and develop a phased approach. Fourth, establish a clear business case, considering both short-term and long-term value. And fifth, determine how success will be measured. Let’s take a look at each of these five key steps in greater detail.
Step No. 1: Define what GRCmeans to your organization
In most cases, there are many players involved in developing and implementing a GRC strategy. Before heading down a path solo, any GRC project leader should first work closely with the groups that will benefit most from a streamlined GRC program. These groups include the legal, internal and IT audit, as well as the corporate ethics and risk groups.
The primary goal at this stage is to establish a common GRC lexicon. Essentially, the groups need to come to agreement on what GRC means to the organization as a whole. Taking this initial step will greatly reduce confusion, particularly as compliance and regulatory priorities are evaluated by the team. Consider this phase a fact-finding mission too, since there may be particular departments that can further support the program with additional financial, people or time resources.
Step No. 2: Survey your organization’s compliance and regulatory landscape
Even the most mature organizations have trouble answering the question, “How many regulations and associated controls do we manage?” As a result, don’t be surprised if it takes a bit of time and effort to complete an initial survey. This is one of the most critical steps in getting started and will be a major factor in building a successful business case for a comprehensive GRC program.
A key step here is to look at the big picture. It’s easy to focus on just the most visible requirements of the Sarbanes-Oxley Act, HIPAA (the Health Insurance Portability and Accountability Act), GLBA (the Gramm-Leach-Bliley Act) and PCI DSS (the Payment Card Industry Data Security Standard). Yet, when it comes to GRC, the surveying process may help uncover disproportionate investments in certain requirements (such as an unnecessary focus on state and local or international regulations). Capturing these requirements during the survey process provides a much clearer view into the existing investments in regulatory compliance, and will help the GRC project leader determine areas of potential cost savings or additional investment.
Determine the Most Logical Entry Point
Step No. 3: Determine the most logical entry point and develop a phased approach
The GRC space covers a broad spectrum of functions and activities. However, a GRC-related project can be much more focused. It is possible, and in many cases preferable, to focus on a discrete area with opportunity to expand the program in the future.
For example, compliance management represents an excellent starting point because many enterprises are struggling with the growing complexity of regulatory compliance. Additionally, compliance management-while sometimes costly to initiate and sustain-can be leveraged for process improvement.
Specifically, many core ITIL (Information Technology Infrastructure Library) and ISO (International Organization for Standardization) work streams have direct relationships to regulatory mandates. Take ISO 27000, the specification for Information Security Management Systems, as an example. Generally, 20 to 30 percent of an enterprise’s SarbOx-related controls will overlap or complement the specifications presented in the ISO 27000 series. From an IT vantage point, this represents either an alternate or parallel entry point to leveraging a GRC solution because risk and compliance are being addressed at the same time (by meeting the requirements of a single set of specifications).
Therefore, managing IT security investments and processes within a GRC platform-whether or not the IT organization wants to attain or maintain ISO 27000 compliance (in whole or part)-can help achieve the same benefits found within the overall corporate compliance program. With this approach, the GRC project leader is in a position to align IT security initiatives to the overall governance strategy, as well as to the risk mitigation priorities for the business.
The most important thing to remember at this stage is that some organizations may want to consider a phased approach to GRC. Sometimes garnering buy-in from the broader stakeholders in the organization requires a GRC project leader to pick one entry point as a starting place. The end goal should, of course, be a unified and centralized GRC management platform. But, in many cases, addressing one element at a time can set the team on the best path for success and help the group see the true benefits of the GRC program.
Establish a Clear Business Case
Step No. 4: Establish a clear business case, considering both short-term and long-term value
Assuming compliance management is the entry point for your GRC programs, it is important to quantify your existing investments to help provide proof points to garner support for the initiative. Every business case will require inputs for solution and project costs. Make sure to work with your software and hardware partners to leverage their ROI, TCO and business case tools.
This step can dramatically reduce the amount of effort required to inventory and document your environment. Even if the specific tools do not meet your needs, partners can be an excellent source of information for building the basic worksheets and questionnaire you will use to organize your requirements and data.
While a robust business case and ROI analysis will cover topics such as scope, cost, TCO and operational benefits, the following four key questions must be addressed from a high level:
Question No. 1: Drivers and Benefits: What is driving the GRCinitiative and what are the desired benefits?
Question No. 2: Labor: What is the project’s labor investment (hours times cost) across audit functions, business units and legal? Be sure to include both inside and outside counsel.
Question No. 3: Controls: How many controls are currently under management? Are there 1,000, 2,000 or more?
Question No. 4: Control Failure: What percentage of controls fail during the audit cycle? How many audit issues are open?
Against this backdrop of insights, it is also important to understand the forecast improvement for the initiative: What are your priorities? Is it reduction in effort, cost or fines? Perhaps it’s a need for overall agility in responding to new or updated regulations. Defining these priorities will help complement the business case while anchoring your organization’s short-term and long-term GRC objectives.
Determine How Success Will Be Measured
Step No. 5: Determine how success will be measured
Crafting success criteria that map to actual GRC functions and to the owners previously identified is a critical grounding step in the process. With a refined understanding of the status quo (the existing landscape), scope and associated business case for the program, carefully crafted success criteria mapped to specific departments and functions will allow project stakeholders to see their own specific expected benefits. Success criteria will take different shapes for various departments. The key is in communicating the criteria to the broader team both before and during subsequent phases of the project.
Seven success criteria and metrics that you might want to consider are:
1. A reduction of redundant controls and associated time to execute (audit, test and remediation)
2. A reduction in control failure
3. A decrease in legal (review) cost
4. A decrease in business unit audit overhead
5. Improved agility through compliance automation
6. Improved and timely routine reporting
7. Real-time executive visibility into compliance status
Most mid-to-large organizations should be able walk through these initial activities in 10 days or less. After following these five key steps to a successful GRC implementation, you will know who owns the area of compliance management, how many regulations your organization is currently maintaining and how many controls are associated with those regulations. Further, the GRC project leader should have a broad understanding of the high-level cost and effort associated with maintaining and testing those controls.
Many enterprises are seeking support from software solution providers to streamline and automate their overall GRC management initiatives. GRC can become a large and unwieldy project to oversee just because of the sheer volume of corporate information, regulations, policies and controls-not to mention the many players involved across the organization. With these steps complete, you will be in a much stronger position to qualify vendors and solutions and to determine the best fit for your organization, based on a well-defined project scope and equally well-defined business requirements and associated benefits.