The Most Overlooked Element of Successful GRC
Most GRC / IRM material focuses on things that are unique to the world of business and technology risk. This often makes sense since there is so much to consider when working with GRC.
Thousands of GRC guides, white-papers, manuals, and blog posts fill professional organization sites, regulatory body sites and materials, LinkedIn, and business world blogs. I haven’t performed an analysis, but I’d have to guess that well over 90 percent of these focus on details, techniques, and process dynamics of GRC / IRM processes and technologies, with nary a mention of the third leg of the business triangle.
We’re no exception, our collective skillset is skewed heavily toward process and technology. We’re versed in the elements of successful risk management, audit management, compliance management vulnerability management, third party management, etc, etc. We’re versed in the nuance of how multiple eGRC platforms support each area. We know risk quantification, and how to arrive at objective risk scores. We know NIST, ISO, HIPAA, and HITRUST. We can tell you all about control assurance, and how to arrive at solid conclusions in control design and operating effectiveness.
When reviewing project results and client satisfaction, we’ve definitely noticed that our project teams and client department teams able to apply skills from the aforementioned areas are important. After all, the learning curve is steep, and when working with teams lacking deep GRC process and technology skills, everything becomes more challenging. We’ve also noticed, however, that one element of focus changes the entire project success equation when added as a focus to our engagements. Hint: It has nothing to do with processes or technologies.
Of course, I’m talking about people. From my own personal experience in recent years, I’ve come to learn that the most knowledgeable, most skilled client teams that I’ve worked with aren’t always the most successful. In fact, in my opinion the correlation between skills and success is much lower when implementing a complex program across an entire organization than many experts would have you believe.
I believe this is true for GRC / IRM in particular. One of, if not the most prevalent challenges we encounter is when we’re brought in by a client to improve and automate some element of their security, risk, or compliance program only to learn that one of the sources of their failure is a failing culture and lack of teamwork.
You can see the symptoms of this right away.
When digging in for the current state assessment, we’ve heard things like, “I know this isn’t the right way to do it, but [Insert leader name here] says we have to do it this way.” or “[Leader in other department] controls this piece of the system, it doesn’t support our process for reason x, y, or z, and they won’t listen to our requests to reconfigure so we usually just do this part manually in a spreadsheet.” Often we’re told up front that their efforts in the past have failed because of conflicts with other teams or departments, and so they’ve decided to go it alone. They’ve abandoned the idea of enterprise GRC or true IRM for the time being and have decided they know best. Rather than work through their problems with the other organizational stakeholders, they’d prefer to go it alone. (These are examples of failed conflict management, but this doesn’t mean a high-performing team is devoid of conflict. Instead, high-performing teams are made up of people who understand that success requires healthy conflict and operate from a level of trust both within their team and their larger organization to support that healthy conflict.)
We’ve come to learn that failure rooted in people and culture is one of the biggest red flags we come across. So much so that we’ve incorporated a phase in all of our GRC Roadmap engagements focused exclusively on people. Specifically, we focus on inclusion of all stakeholders who are impacted or who will be impacted by the work being planned, we focus on making sure they have a seat at the table, we focus on developing a governance charter that lays out the governance committee’s purpose and decision making procedures, and we focus on getting a unified taxonomy of processes, business, and technology assets involved to make sure everyone is speaking the same language.
This goes a long way toward project success, and it’s truly changed the success ratio of our projects. Even so, the clients we’ve had that don’t just get to a successful implementation, but instead achieve true optimization, all share one thing in common: an excellent teamwork environment and a strong organizational culture.
This leads to another thing we’ve learned: this doesn’t happen by accident. This is usually the result of keeping people, along with process and technology, at the forefront of establishing or improving a program. People focused activities such as intentional team design with consideration of individual strengths and preferences and how they fit into overall team dynamics are emphasized.
Understanding of the type of team you’re building based on the desired outcomes is critical, for example, risk management teams need to be analytical, but team members focused purely on decision support may need a higher level of creativity to cultivate risk modeling inputs and see connections between processes others may not. On the flip side, efficiency and accuracy often rule the day for compliance activities, so compliance-focused teams might be better built with those having low patience and high formality traits.
Once the team is set, high performing teams deploy talent optimization techniques so that they naturally work to accomplish the shared vision. Their members often work for internal satisfaction and a shared feeling of success. They enjoy being part of something bigger than themselves and striving every day to live up to the team and larger organization’s mission and vision statements.
Bottom line: Culture, underpinned by team composition and team dynamics determine whether the team will successfully execute strategic goals, so getting this right matters.
Toward that end, we’ll be increasing our focus on the people aspect of our projects and engagements both internally and with our client teams. There’ll be more details to come on this topic in coming months.
In the meantime, if you want to get the most out of your team’s GRC experts, contact us to learn more about building team dynamics and talent optimization techniques customized to your organization, department, and program.