In the February issue of the CA Advisor: Governance Edition, I've covered an important issue we hear from many of our customers "" where should you start with your GRC program?

There are many potential answers to that question, and what makes the most sense for your business directly correlates to your specific priorities and what you have for short-term needs and long-term goals. But, there is one thing that generally applies to most companies embarking on a GRC initiative, which is that it's OK to take a phased approach "" you don't have to implement the G, the R and the C all at the same time.

When talking with our customers, this insight usually comes as good news! We know it can feel overwhelming at first "" particularly if you're really looking under the covers at the people, process and technology to help ensure your GRC solution best matches your needs "" but most of the time, slicing off one piece will set you on the right path.

In my latest Advisor article, I specifically point out some of the advantages of starting with risk management "" the R in GRC. Take a look at the complete article for the full detail, but here's a quick overview of why risk management is a logical starting place:

1. Effective risk management is top of mind given the recent financial crisis and fall-out




2. 
   Improved risk management can have important financial benefits, now that Standard & Poor's includes it as part of their overall corporate evaluations (see a past post on this topic here)
   




3. Visibility into overall risks can help you make more informed business decisions "" helping to sort out which risks to avoid and which ones to take




4. Visibility also gives you insight into downstream effects of various decisions




5. By properly identifying, managing and mitigating risk you can earn competitive advantage for your company

Even if you choose to pick one area as a starting place, like risk management, I always advise companies to have a clearly defined vision showing how GRC will deliver short- to mid-term value to your organization. The long-term benefits can be profound, but given our economic climate today, most projects need to have demonstrable short-term benefits to get approval.

Another important tip "" developing a common GRC lexicon is a must. You want to be sure all stakeholders speak and understand the same language "" helping to spare a lot of pain once you get further along in your implementation. The next logical step is to have common practices and procedures for the key elements of risk management "" risk identification, assessment, and mitigation. If each organization has different processes for doing risk management, it will be much harder to gain visibility into the total enterprise risk profile. Common terminology, processes, and procedures implies a common risk management platform across the enterprise. This is a whole topic unto itself, but it is the foundation of improved enterprise risk management.

By focusing on one area "" such as risk "" when implementing GRC, it will be easier to show the rewards of the initiative and get buy-in for the entire project. The end goal should be a unified and centralized GRC management platform. But in many cases addressing one element at a time can set your team on the best path for success and help the group see the true benefits of the GRC program.

Check out my article in the February issue of CA Advisor: Governance Edition, and feel free to share your thoughts in the comments to this post.