Governance, Risk and Compliance (GRC) requires a common set of processes for managing risks, controls, policies, and measurements. When each business unit or department within a company assesses risk in different ways with different tools and different forms, their likelihood of getting good information on which to base their decisions is dramatically reduced. When they start establishing consistency across their risk management processes, they gain efficiency, as well as increased visibility into their total enterprise risk.

What's the best way to get a GRC effort off the ground? There's not just one way to answer to this question, but here are some
strategic
and
tactical
steps that can help:

STRATEGIC:

1) GRC is Not a Project
During a Quality Management class, the instructor said "Quality is a process not a project." The same applies to GRC; there are no dates when everything will be done. Requirements, regulations, laws and best practices are constantly changing, and GRC processes should always be continuously improved, so GRC will never be "done."

2) Create a Cross-functional Team
Some companies choose one person to be responsible for coordinating GRC efforts. While this can be effective, it may be even more effective to bring together a team to coordinate GRC. The team could consist of representatives from: information systems, legal, internal audit, compliance, and risk management as examples. Patrice Walker, Director of Risk Management for Jefferson Wells has said that GRC is primarily a business challenge that impacts groups across the enterprise, relationships need to be built, and communication across all groups must be effective. She also emphasized the importance of communication and relationships in making GRC successful.

3) Don't Try to Boil the Ocean
Don't struggle to solve all your regulatory and compliance problems at once. As Matt Caston states in his recent eWeek article: ""¦focus on a discrete area with opportunity to expand the program in the future." Your focus could be on a specific regulation where you have an impending audit. Or you could focus on a specific function, such as the need to communicate the company's Code of Conduct and report the level of employee acceptance.

4) The Need for Speed
If you need to implement your GRC strategy quickly, take a look at software-as-a-service, or SaaS. It will provide fast software implementation and reduced upfront investment in server hardware and minimal IT staff resources. SaaS is not for everyone but the model continues to prove itself as a viable alternative to the standard purchase, install and maintain method. Make sure you choose a vendor that allows conversion to other purchase methods. If the software proves itself, you could reduce your long term investment by purchasing the software and either 1) allowing the vendor to host it for you or 2) host the software in your own data center (on premise).

With some strategic decisions out of the way and using your GRC software of choice, consider the following tactical tips:

TACTICAL:

1) Import Existing Objects
Utilize what you have already prepared. If you have a list of enterprise or IT risks in a spreadsheet, import it. If you have a list of controls, import it. If you have company policies like the Code of Conduct or password policy, import it. This will be the beginning of your single source of the truth for compliance. Once imported, you can start the process of getting your cross functional team members to validate and expand it. This will also start the collaboration and creation of your "GRC lexicon" and taxonomy that Matt Caston also describes in more detail in his eWeek article.

2) Start Scoring
Now that you have a starting point, utilize the built-in scoring mechanisms. If you imported your risks, score them so you can see your Top 10 risks. If you imported your controls, ask the control owners to answer the control maturity assessment questions to find the 10 weakest controls.

3) Create Connections
Now you can start "connecting the dots." If you started with a list of your risks, input some of the controls that are put in place to mitigate those risks, then associate them together. If you started with a list of controls, enter some of the risks that they mitigate and associate them together. You can also connect your controls and/or imported policies to the requirements (ISO 27001, SOX, HIPAA, PCI) and control objectives.

These tips will get you started with your Governance Risk and Compliance efforts, but it is only a beginning. Coordinating and advancing a coherent GRC approach across departments and business units requires significant effort and perseverance and the fruits of your labor and your peers may not become evident right away. However, having a structured program ensures long-term benefits such as enhancing governance capabilities, helping mitigate risks more effectively and simplifying regulatory compliance.


*Image courtesy of Gio JL, used under Creative Commons License.