We’ve helped several organizations implement GRC processes and tools, and we’ve seen our fair share of successes and failures. Among those who struggle with implementation, they usually make the same mistake. Instead of seeing eGRC software as a tool to bolster their GRC structures and supercharge their processes, they overlook all of the foundational elements that need to be planned and implemented and view the eGRC software as a silver bullet to reach their risk and compliance goals. As a result, they soon realize they are in over their heads. A client once described this as “thinking you are stepping into a closet, then turning on a light to find that you’re in an auditorium.”
Unfortunately, that realization often comes too far along during implementation, and they reach a place where either their internal processes don’t fit the tool, or the tool is so broken that it’s no longer usable. In many cases, the projects were driven by IT as a software implementation rather than a joint effort by every department that uses the tool for their business processes; therefore, there is usually a gap between what is delivered and what the business actually needs.
The implementation of a GRC program is more than just software. It’s a change in risk and compliance management and sometimes a complete cultural shift in the governance of an organization from being reactive to proactive with risk management. Cential has steered several successful implementations because our organization emphasizes proper planning and governance over the effort.
How to Effectively Implement An Enterprise GRC Program
Beyond just PMO planning and control, the business side of the organization has to lead the implementation with participation from a team committed to the project. The key pieces of a successful implementation include a governing body over the project and knowledgeable practitioners with experience in both the GRC business side and the GRC tool.
One Critical Element In Your GRC Program: The Governing Body
Governance over the project is critical because it establishes authority over the project by the stakeholders. All involved have a say in its development, and business needs and processes drive the delivered solution. In addition, a proper governing body:
- Sets the path for the implementation and order in which business cases are developed. This is sometimes called a GRC roadmap, where an analysis is performed upfront to identify current Risk and Compliance functions and determine what areas are ripe for conversion.
- Sets standards and a clear vision over what is and is not included in the effort. eGRC software platforms are very powerful business automation tools and, therefore, can do much more than GRC. Once the business discovers this, the scope can creep, and the project can quickly get out of control.
- Promotes collaboration among all stakeholders—not just those involved in the current phase of implementation. This way, current and future stakeholders are involved enough to ensure the tool remains “enterprise” usable and not built to a single department’s needs, requiring costly and time-wasting re-work in later phases.
The structure of the governing body should be sized to fit the organization, and there are benefits in keeping it as simple as possible. The sample structures shown below are either for small implementations with only a few layers of management or for large implementations with several layers of oversight. However, the key entities needed could be as simple as a Steering Committee, Change Board, and the implementation/delivery team.
Small Governance Structure
Large Governance Structure
Whatever the governance structure selected, there are common elements that need to be in place for its success.
What the Governing Body Needs to Do
First, the governing body should define the purpose of the program by asking:
- What are the goals?
- Which elements will it be used to drive? These include, but are not limited to:
- Policy management
- Compliance management
- Risk management
- Third-party risk
- Business continuity management
- Audit management
- What are the priorities?
- How many phases will there be, and what will each phase encompass?
Next, define the vision for the program by determining:
- Standard metrics and scales
- Typical roles and responsibilities
- Common reporting definitions
- Common uses, look and feel, branding, infrastructure, etc.
- How to ensure an enterprise focus rather than a siloed focus
Once these key decisions are made, it’s important to establish them into a governing charter that is documented, established, communicated, and, most importantly, enforced throughout the project.
These are just a few of the ways governance is so impactful to a GRC program. Each of the responsibilities and actions outlined can be explored in much more depth. As we have just learned, the difference between the success and failure of an eGRC implementation is directly related to proper planning and oversight.
Contact us now to discuss how we can help you supercharge your GRC efforts.