PREVIEW: Chapter 1 – Where to Start
Chapter 1: Where to Start (excerpt)
If you find yourself in a position of responsibility for managing risk at any organization, whether large or small, the journey to achieve insight into your risk posture will be very similar. I would like nothing better than to tell you that the journey is swift and free of challenges, but as you might expect, the truth is much different. The good news is that a pragmatic and high value strategic program is definitely achievable.
I’ve worked with many organizations that have tried to develop GRC programs, but have approached it thinking that the very smart people who owned risk to begin with were the only resources they needed to conceive and deliver a program that was operational and returned the promised value. In actuality, success requires people with skills and experience gained through practical implementations to ensure success. As you’ll read in the coming chapters, success also requires big picture thinking to align your GRC program to the company’s strategic goals, along with a focus on building trust and achieving buy-in from various stakeholders.
The GRC value promise
Regardless of what approach, product, schedule, taxonomy, or methodology you plan to use to support your vision for a GRC program, the value promise is essentially the same: Management requires time-sensitive understanding of the pulse of their organization as it relates to the categorized risks and the related controls meant to keep them within tolerances; they need to make informed risk-based business decisions supported by highly standardized technical data; and they need the ability to efficiently respond to regulators and standards bodies with credible and trustworthy demonstration of due diligence and compliance.
How can such a small statement describing the value be so difficult to deliver? For one, GRC as a concept is relatively new for most organizations, and the GRC marketplace is still evolving. For example, many products do a very good job at providing useful information for their slice of an ever expanding landscape of technology safeguards employed by organizations to provide the technical controls necessary to manage IT risk. But IT Risk is only one component of Operational Risk, and Operational Risk is only one part of an overall Enterprise Risk program.
The expectation is that management can get a holistic, aggregated view of all types of risk. In most organizations today, risk is assessed and controlled by silos of responsibility, and overlapping or undefined areas of accountability. The challenge therefore becomes merging the outcomes of many different technical controls, process controls, and management controls (policy and governance).