One theme that we experience over and over when working with clients who are implementing or improving Governance, Risk Management, and Compliance (GRC) processes and the eGRC systems that support them, is their overwhelming appetite for “big bang” implementations. Overzealous leaders want to include every complicated and advanced technique they can think of, dig up, or hear about into their implementation.
Usually, there’s a big difference between ‘best in the world’ and what’s best for your organization. An organization may be at the top tier in their industry, but that doesn’t mean they’re ‘world class’ at every internal business function. Those who expect to go from zero to world class without realistically focusing on the smaller milestones in between are setting themselves up for failure.
Unfortunately, overzealous leaders may not see it that way. If including a GRC activity is good, and scoping in some corporate assets is good, then more activities and more coverage must be better, right? We’ve seen it included in a client’s phase 1 goal that bottom-up risk assessments achieve 100% coverage of all corporate assets, to be assessed in the first 12 months and repeated annually thereafter, even though their organization has 1,000+ applications and 20,000+ devices, their GRC team has 5 or fewer resources, of which 1 or 2 will be running the assessments, and their asset inventory data is inaccurate or incomplete. Although their GRC program is often in the first stage of the maturity model, these organizations are prone to include a phase 1 plan with advanced GRC processes that rely on non-existent foundational pieces. Impatient leaders can see important dependencies as minor hurdles. An example would be implementing process, risk, and control self assessments (pRCSAs) in the same phase as populating the risk register, policies, control standards, and business processes. Another example would be integrating vulnerability scanning results while they’re still tuning their vulnerability scanning tool.
Often, the client isn’t fully at fault for having such unrealistic expectations, and therefore for setting unreasonable goals based on those expectations. Exaggerated statements made by eGRC sales materials and unrealistic demos (wait, the whole enterprise asset inventory, asset owners, the risk register, all policies, and all controls are already fully populated!?) given by salespersons set those expectations from the start. And don’t expect any help from the larger consulting firms. They know that hitting the client with reality won’t help them meet their sales goals. These vendors have offshore teams that can pump out a complex “solution” and they will “move past” these hurdles by doing things like populating the inventories with one size fits all record sets that are at not applicable to the business and create more work to clean up. Problem is: garbage in – garbage out. By the time the client realizes the near impossibility of using what has been delivered, the big firm has already collected their money (and lots of it) and have a different set of folks overseas building the same thing for their next client.
Unfortunately, this leads to a repeating scenario for experienced experts: bringing the client’s understanding of the current state of their GRC program back in line with reality. It’s not a pleasant conversation breaking the news to a client that they aren’t just using their huge, custom built system incorrectly. In fact, the heavily customized “solutions” they were delivered actually do not fit their department’s needs or processes at all. This is so hard to take that we’ve seen situations where the initial opinion had to be justified by another consulting firm’s second, and even another firm’s third opinion before the client accepted where they actually stood and were ready to move forward based on their new understanding.
Showing them that the actual roadmap to GRC program maturity is better delivered in small steps, and the first iteration might be simpler than they’d imagined sometimes leaves them wanting. But you know what? It’s the right thing to do. There’s power in that simplicity — proving initial results and building iteratively on that foundation maximizes the chances that their organization will actually achieve their GRC program goals.
Now, here’s the good news. After the dust settles and the client’s ready to move forward, the correct way to proceed is simpler, not more complex, than leadership might think. Need to implement underlying processes to populate and periodically refresh your enterprise risk hierarchy and risk register? There’s a simpler way! Need to establish proper data feeds from CMDBs to build your enterprise asset inventory? Take it a step at a time! Have you tuned your vulnerability scanners and you’re ready to integrate their results with your risk data? We’ll help build the foundation and iterate! Need some quick wins to show leadership results from their eGRC investment? We know where to focus effort to get results and how to put a spotlight on those for leadership to see!
This introduction is the first of a series of GRC process simplification posts we’ll be providing over the coming months. In future articles, we’ll be walking through, in detail, the common complexities that cause problems in initial process implementations, and the simplification methods we’ve seen used most successfully. We’ve repeatedly implemented Risk Management, Compliance Management, Security Operations Management, Policy Management, Issues Management, and other processes at clients and we’ve collected simplification tips for each one that clients can use to move from non-existent to operational, or from immature to a more optimized state – in a shorter amount of time and with maximum results. Stay tuned, because in the next simplification article we’ll do a deep dive into one of these areas. We’ll highlight the pieces that organizations often try to shoehorn in up front that just don’t work for their phase of maturity, and we’ll show how to get complete, meaningful, and reportable GRC data from these initial processes.
GRC processes and the systems that support them are a fundamental part of any organization’s overall risk mitigation strategies, and when implemented correctly, they can go a long way to help your company achieve their main objectives. Over the next few posts in this series, we’ll begin the walk down that road that leads to GRC program effectiveness, and we’ll show a shortcut or two we’ve seen along the way.
Want to share your story? Contact us.