In an earlier blog posting, I introduced the topic of Lean GRC, an area that has started to get some attention recently. To summarize, it takes the principles of Lean Production (as exemplified by Toyota in the 90s), and applies them to risk management and compliance. In a follow-on blog posting, I talked about one of the most important concepts of Lean "" the elimination of waste. Many companies have significant amounts of redundancy and waste in their GRC processes, so this is an area that's ripe for improvement.

As we all know, one of the key elements of Lean Thinking is to identify process steps or processes that do not add value to the customer, and eliminate them. Very important "" but certainly easier said than done.

In this blog, I'd like to talk about another key concept of Lean "" "Focus on individuals who add value." At first blush, this might appear to be a thinly-veiled advocacy for large-scale layoffs. "Find the laggards and get rid of them!" Sounds harsh "¦ and that's not really what this principle is focused on.

The important message of this principle is that we should transfer responsibilities and ownership to those individuals who have the potential to actually add value to the process. In many cases, adding value implies that these people have information that other people might not have, or get access to the information earlier in the process than others. In GRC (as in many other areas of business), knowledge, to some extent, is power. We need to find those people who have unique information, or have it earlier, and make them "key cogs" in the GRC process that uses this information.

This implies that we need to assign GRC responsibilities to key people on the "front lines," so that their added-value is leveraged as much as possible. Let's get a bit more specific so this is clearer.

Many times, the people who are actually testing controls will have an "early warning" if there is an emerging risk related to that specific control. If, for example, they have to fill in forms or send an email to alert someone the next level up, which then gets passed along (at some point) to another layer of management, the impact of a control failure might not be obvious to upper management for awhile. In many cases, this might not be a huge problem. But, why design your internal processes in a way that doesn't effectively support the "boundary conditions" of a large control failure?

A better approach is to more directly integrate these front-line people (who have the important information) into your GRC processes. Allow them to immediately enter control results, which will then automatically adjust your overall risk and compliance profile. Upper management can then get a graphic indicator of this potentially important change in status immediately.

Controls testing is only a useful example of how this might work. Any other individuals who are key elements of any compliance process, or are the source of critical information, should also be the focus of any re-design or simplification of any business process.

This approach has a side benefit also. As we introduce GRC into all key processes, as well as focus on individuals who add value, we not only improve the quality of our information, but we help instill ethical, "compliance behavior" in employees at all levels. Some studies have shown that increased awareness of policy and ethical standards among workers tends to diminish inappropriate behavior. So, reasonable methods that accomplish this can be very effective.

In a subsequent blog, I will offer some thoughts on other key principles of Lean GRC, and you can visit CA's Lean IT site to learn more about our approach to help companies maximize value and minimize waste. As always, I'd love to hear comments, thoughts or anecdotes from your experiences that you would like to share.

*LeanGRC is a trademark of OCEG.