The three components - Governance, Risk and Compliance are connected, and yet at the same time they are separate entities that require their own strategic steps and procedures. With compliance requirements becoming mandatory many companies have been aggressively discussing implementing Governance Risk & Compliance as a key strategy. The frequency and urgency of these discussions has increased significantly as global competition has shifted the speed of business into overdrive. IT departments are facing increasing challenges to:
- Provide sufficient audit evidence of compliance with a growing number of regulatory mandates
- Attempting to manage the varied nature and complexity of attacks to information from outside as well as internal resources
- Respond to business demands in tighter time-frames
Recent research from Aberdeen Group's July 2008 benchmark report, “Is Your GRC Strategy Intelligent? Analytics for Accurate Real-Time Visibility and Decision Making” have shown that along with new and changing regulatory mandates (37%) and the need to better manage and mitigate business and operational risks (48%), one of the top three forces driving investment in Governance, Risk management, and Compliance (GRC) technologies and services is the need to improve operational efficiencies in IT and business activities.
Here it may be worthwhile to look at some of the best practices that have been adopted by industry leaders while implementing a GRC solution:
Do it Step By Step: For implementing a GRC solution avoid a “Big Bang” approach. Do it step by step and one of the first steps is to get buy in from your stakeholders. Organizations need to explain to relevant stakeholders that GRC is not a unified entity. It is three related but separate concepts that yield a whole that is greater than the sum of its parts. The three components — governance, risk and compliance — are connected, and yet at the same time they are separate entities that require their own strategic steps and procedures.
The first step in planning for GRC is to align the stakeholders
Refresh Organizational Policies: The next step is to update and refresh your policies, procedures and controls since results will only be as good as the data on which they are built. This can be as simple as confirming the current documentation is regularly reviewed and updated. However in some cases it may be a lot more painful if there is not sort of documentation in place or even if they have not been reviewed in a long time. This data will form the crux of the proposed GRC solution, and defines an organizations appetite for risk. Also another very important reason to update the documentation is that this is the basis against which you will be audited.
Freeze requirements and Develop non-existent Processes: The organization will need to establish requirements and develop some common processes (which may not have been in place) like for example issue identification, issue management, remediation and communication. During this process you will essentially lay out the foundation for the organization’s business requirements. While deciding requirements some of the factors that need to be accounted for are:
- Number of processes that may be covered
- Number of mandatory regulations that the organization need to comply to, etc
Begin Implementation: Even though a GRC implementation will affect the entire organization it is more effective to start on a small scale and then ramp it up because it allows the organization to narrow the scope and focus on an implementation for a limited number of business users.
Onboard Users: Finally, organization just needs to outline how the business units will use the new GRC solution, with an eye to encouraging them to proactively manage their own risks. After that, all that remains is to train and on-board users. User adoption will need to be monitored on an on-going basis.
Conclusion:
Once implemented a successful GRC implementation provides a manifold benefit to all stakeholders. Benefits include enhanced risk assessments and risk monitoring, access to additional data and knowledge coming in other functions, and enhanced communications. The organization and its directors also benefit from a common definition of significance for issues and a common issue reporting and tracking process across business processes. In the long run, increased effectiveness coupled with greater consistency and risk visibility will lead to greater stakeholder satisfaction with internal auditing.
Be the first to rate this post
- Currently 0/5 Stars.
- 1
- 2
- 3
- 4
- 5