Does Centralizing GRC Begin With IT?

By Rick Ensenbach

In the past several years, interest in centralizing governance, risk management and compliance (GRC) activities within companies and organizations has captured the attention of IT and information security leaders. Often, however, they face resistance when they try to engage their enterprise’s leadership in GRC. What’s the root of this problem and what can you do to overcome it in your company?

Let’s start examining what GRC is.  Depending on who you are talking to, GRC could mean:

An approach to business that harmonizes governance, risk and compliance efforts across the enterprise, to provide a consistent and holistic view of GRC

or

A means to automate the management, measurement, remediation and reporting of controls and risks against objectives, in accordance with internal or external requirements

The important difference is that the first definition refers to a program and the second to technology.

When the IT department is the first to recognize the potential of GRC, they tend to see it primarily as a technology. This is understandable when you consider the benefits that can come from implementing an IT GRC management tool that can do the following things:

• Define and manage policies, processes and controls
• Map policies to controls
• Map controls to objectives such as regulatory requirements and internal mandates
• Map controls to assets
• Evaluate and measure risks
• Automate auditing and regulatory reporting
• Manage manual-control self-assessments
• Train the workforce
• Manage remediation and exceptions
• Address auditor reporting requirements
• Executive management reporting

Who wouldn’t like that? The problem here at the root of enterprise-wide adoption is that internal advocates lead with the technology and not the program. It is like making a cross country trip without a map or plan. Considering what GRC technology solutions have to offer, it is not unusual for organizations to easily get caught up in buying more than what they can implement in a reasonable amount of time or mistakenly buying features that solve 20% of the problems versus 80%. That doesn’t demonstrate the full power of these tools to your enterprise leadership.

What’s the answer? Let’s look at what IT organizations and information security leaders should be doing prior to buying a solution to reap the benefits from an IT GRC management tool.

Determine business drivers – To the best of your ability, determine everything that will justify the purchase of a GRC tool, and also what will drive the continued success of the tool. This could be regulatory requirements, strategic IT and business initiatives, internal compliance requirements, process improvement or efficiency, centralize repository/source of truth, etc.

Business Alignment – Even if the business hadn’t thought about enterprise GRC, that’s no reason not to include them in the planning and purchasing discussions. This might be a unique opportunity for you to show the business you are interested in what they have to say and how their needs could drive a successful GRC tool implementation. Who knows, if you can show them the value of a GRC tool, they might even agree to help pay for it.

Define the problems and prioritize – I would venture to guess that your list of problems will be lengthy. You will never be able to solve all of your headaches by purchasing all the bells and whistles in one purchase. In fact, if you attempt to do this, you’ll probably find out that you now have a bigger headache. The important thing here is to list your problems and then prioritize by order of importance. In other words, think of what features in a GRC tool will bring you as close to solving 80% your problems, rather than 20%. And don’t forget about the business when making your list. Their problems are your problems.

Benefits – Okay, if you figured out business alignment and defined/prioritized your problems, it won’t be hard to see the benefits. As any information security professional can tell you, to be able to show a return on investment (ROI), is priceless!

Strategy – Now it’s time to take what you did in the previous steps and put it all together to determine the most important and affordable functions you want to purchase in an IT GRC management solution. Remember the 80% rule and most importantly, purchase only what you can successfully implement in a short period of time. To do this, you will have to carefully work with the vendor to develop an implementation plan.

Monitoring and Measuring effectiveness – As with any program or technology implementation, you don’t know what you don’t know. You can’t determine if you achieved your goals unless you monitor and measure effectiveness. This is not a onetime event but rather an ongoing process, so make sure you have a plan in place by defining what you want to monitor and measure. But remember, you also have to be ready to adjust if what you measure shows that you are not solving your problems or seeing the benefits you previously determined.

Communicate – Once you’ve completed all this great work and your investment is paying off in dividends, why not communicate this to anyone who will listen, especially upper management. It is time to toot your horn!

Aeritae has successfully helped several companies with IT GRC tool deployment. We also have experience with several of the most commonly purchased software solutions. But what Aeritae brings to the table that is most important is a solid understanding of business, leadership and an un-biased approach to IT GRC solutions. Let us help you migrate down the path to a successful implementation of your GRC program. Please contact us with any questions.