Continuing the discussion on GRC implementations, it would be worth exploring the discovery phase of the project that’s critical to defining the scope of the GRC program. Without understanding where your risk and compliance activities are happening there is a risk that these are left out of the scope of the GRC implementation. I’ve assisted several organizations with planning their GRC implementations and have found they want to jump into one use case and skipping this step thereby missing opportunities in other areas.
I’ve conducted discovery exercises much like audit planning as the activities are much the same: Research, Plan, Interview, and Document the results. However, there are a few tweaks to these we’ll look at. Find the champion
– every organization has a sponsor that is leading the charge to implement GRC practices. Let face it, you wouldn’t be here if there wasn’t. However, that doesn’t mean they will champion the effort to the rest of the organization. Find the GRC evangelist that will help you liaison with the business leaders and get them on board with the effort. Find a project manager
– I’ve found that some organizations want all the benefits of the planning without committing the time to create it. Identifying a project manager on the client side, whether they are formally or informally assigned the role, is very helpful in scheduling meetings, reserving rooms, etc. They have knowledge and access into the organization that you won’t such as email and org charts. Gather high level information
– Gathering organizational structure information will help in breaking down the business into areas where risk and compliance activities may be carried out. This helps with determining who the leaders are in each area and staying focused to a segment of the business rather than trying to take in the entire organization at once. Begin talking to leaders
– Hold interviews, either individually or as a group, with leaders in these business areas. I usually stay with the head of the area and one level down as these folks are usually those responsible for executing risk/compliance activities. While meeting with them try and answer the following questions:
- What are the processes and are they documented?
- What are the pain points to these?
- What technologies, if any, are being used?
- What would make risk/compliance easier?
Once all these steps are carried out and you’ve gathered a trove of information it’s time to organize it into something that makes sense; however, I’ll have to cover that later. In the next installment of this blog I will provide some tips to evaluate and score each business area thereby providing the organization with a map of their risk/compliance maturity and where their first efforts should be focused for the GRC project.