How to Achieve a Successful GRC Implementation - Page 4

Step No. 5: Determine how success will be measured

Crafting success criteria that map to actual GRC functions and to the owners previously identified is a critical grounding step in the process. With a refined understanding of the status quo (the existing landscape), scope and associated business case for the program, carefully crafted success criteria mapped to specific departments and functions will allow project stakeholders to see their own specific expected benefits. Success criteria will take different shapes for various departments. The key is in communicating the criteria to the broader team both before and during subsequent phases of the project.

Seven success criteria and metrics that you might want to consider are:

1. A reduction of redundant controls and associated time to execute (audit, test and remediation)

2. A reduction in control failure

3. A decrease in legal (review) cost

4. A decrease in business unit audit overhead

5. Improved agility through compliance automation

6. Improved and timely routine reporting

7. Real-time executive visibility into compliance status


Most mid-to-large organizations should be able walk through these initial activities in 10 days or less. After following these five key steps to a successful GRC implementation, you will know who owns the area of compliance management, how many regulations your organization is currently maintaining and how many controls are associated with those regulations. Further, the GRC project leader should have a broad understanding of the high-level cost and effort associated with maintaining and testing those controls.

Many enterprises are seeking support from software solution providers to streamline and automate their overall GRC management initiatives. GRC can become a large and unwieldy project to oversee just because of the sheer volume of corporate information, regulations, policies and controls-not to mention the many players involved across the organization. With these steps complete, you will be in a much stronger position to qualify vendors and solutions and to determine the best fit for your organization, based on a well-defined project scope and equally well-defined business requirements and associated benefits.

/images/stories/heads/knowledge_center/caston_matt70x70.jpgMatt Caston is global vice president of the Governance Group at CA.Matt's current areas of responsibility include GRC (Governance, Risk and Compliance) and Records and Information Management. Matt has more than 12 years of experience providing strategy and guidance to the Global 2000 in the areas of Security, Risk and Regulatory compliance management. He can be reached at