Where to Begin?
As compliance requirements grow it becomes critical for your business to manage and report your risks and compliance efforts and results efficiently. A Governance, Risk, and Compliance (GRC) program can provide the necessary means given that your organization implements the right processes supported by the right GRC tools. Unfortunately, many organizations struggle with know where to start. Here, we’ll to provide a brief checklist of ideas to set you on the right path.
Often times companies buy an eGRC system hoping it can serve as their ‘magic bullet’ to GRC success. Before you even begin searching for a GRC system you need to establish a foundation for the effort:
- Get people throughout the organization involved.
Successful governance and regulatory compliance requires involvement from leaders throughout your organization. Therefore, it makes sense to have them involved in the selection and implementation of tools. The benefits are a better solution that works for the enterprise rather than one sector or department and buy-in from a larger cross-section of leadership helps translate to buy-in from end users after the implementation.
- Establish a governance structure over the project
As with any large-scale system implementation there needs to be a governance structure established to guide review and steering for the selection, implementation, and customization. This governance should consist of representation from across the organization from areas that have a similar vested interest in the project and its outcome.
- Consider the business processes that will and will not use the GRC System
Today’s leading GRC systems are very versatile can include several “modules” or “solutions” that are focused on particular business areas, such as Vendor Management or Audit. Establishing the scope of business processes that will use the tools is critical for budgeting and selecting a system with the right fit that meets your needs.
- Consider the sources of current information
GRC systems offer a wide range of integration or data import capabilities. Exploring what data will be necessary and available for the GRC system is critical to understanding how the system will be used. For example, if Information Technology wishes to perform bottom up risk assessments but an accurate inventory of applications or devices does not exist then other features should be considered to meet this objective. An accurate Change Management Database (CMDB) is crucial for this piece, and if one does not exist, the effort to implement one should be considered as a prerequisite for the project.
- Commit to proper staffing for the project and production support
Proper staffing for the effort is key not only for the implementation of the GRC system but also for its care and feeding in production. eGRC system implementations or customization efforts often fail without skilled and experienced resources. When undertaking such a project be sure to have resources with a track record of success. Of course, resource requirements don’t end after implementation or customization. We have seen many successful GRC implementations fail later due to inadequate user adoption and/or support for the platform. Be sure that your organization retains adequate talent to achieve lasting success after the dust settles.
In Conclusion
Successful GRC program implementations require considerable up front efforts. Get leadership across departments involved, establish guidance from a governance structure, plan the scope of the system business processes, determine data needs and availability, and ensure that proper resources are available for continued success of the function.
Stay tuned for more topics such as:
- Tips for developing a solution,
- Rolling out the program, and
- Training and gaining user adoption.