We have helped several organizations implement GRC processes and tools and have seen our fair share of successes and failures. A common thread we see with those who struggle is that and instead of seeing an eGRC software tool as something to bolster their GRC structures and supercharge their processes, they overlook all of the foundational elements that need to be planned and implemented and view the purchase an eGRC software tool as a silver bullet to reach their Risk and Compliance goals. However, they soon realize they are in over their heads. I had a client once describe this as, “thinking you are stepping into a closet, then turning on a light to find that you’re in an auditorium.”
Unfortunately, that realization often comes too far along during an implementation and they reach a place where their internal processes don’t fit the tool or the tool is so broken that it’s no longer usable. In a lot of cases, the projects were driven by IT as a software implementation rather than jointly by all departments who’ll use the tool for their business processes, therefore there is usually a gap between what is delivered and what the business actually needs. The implementation of GRC is more than just software. It’s a change in risk and compliance management and sometimes a complete cultural shift in the governance of an organization from being reactive to proactive with risk management.
Cential has steered several successful implementations because we understand the gravity and importance of proper planning and governance over the effort. Far beyond just PMO planning and control, the business side has to lead the effort with participation from a team committed to the project. The key pieces of a successful implementation include a governing body over the project and knowledgeable practitioners with experience in both the GRC business side and the GRC tool.
For the purpose of this blog, let’s talk about one critical element — the governing body. Governance over the project is critical because it establishes authority over project by the stakeholders. All involved have a say in its development and business needs and processes drive the delivered solution. In addition, a governance authority:
- Sets the path for the implementation and order in which business cases are developed. This is sometimes referred to as a GRC roadmap where an analysis is performed up front to identify current Risk and Compliance functions and determine what areas are ripe for conversion.
- Sets standards and a clear vision over what is and is not included in the effort. eGRC software platforms such as RSA Archer are very powerful business automation tools and therefore can do much more than GRC. Once the business discovers this, scope can creep and the project can easily get out of control.
- Foments collaboration among all stakeholders and not just those involved in the current phase of implementation. This is where having a solid GRC roadmap is handy in that current and future stakeholders are involved to ensure the tool remains “enterprise” usable and not initially built to a single department’s needs and therefore requiring costly and time-wasting re-work in later phases.
The structure of the governing body should be sized to fit the organization and we see benefit in keeping it as simple as possible. A structure such as the example shown is more for large implementations with several layers of oversight; however, the key entities needed could be as simple as a Steering Committee, Change Board, and the implementation/delivery team.
Whatever the governance structure selected, there are common elements that need to be in place for its success.
First, the governing body should define the purpose of the program:
- What are the goals?
- Which elements will it be used to drive?
- Policy Management,
- Compliance management,
- Risk Management,
- Security,
- Third Party Risk,
- Business Continuity Management,
- Audit Management, or
- others?
- What are the priorities?
- How many phases will there be, and what will each phase encompass?
- And so on.
Next is to define the Vision for the program
- Define common metrics and scales
- Define common roles and responsibilities
- Define common reporting
- Define common uses, look & feel, branding, Infrastructure, etc.
- Make sure it is enterprise focused rather than siloed
Once these key decisions are made its important to ensconce them into a solid governing charter that is documented, established, communicated and, most importantly, enforced throughout the project.
These are just a few of the reasons that governance is so important for a GRC program. Each of the reasons and activities outlined can be explored in-depth – keep an eye out for future content on each.
Have a question about your GRC program? Contact us now to discuss how we can help you supercharge your GRC efforts.
In conclusion, the difference between success and failure of an eGRC implementation is directly related to proper planning and oversight. Stay tuned to this blog for more insight as we delve further into what makes successful GRC programs and implementations.