PREVIEW: Chapter 2: Aligning to a vision
Chapter 2: Aligning to a vision (excerpt)
Getting anywhere without knowing where you’re going is almost impossible. You can fumble along and eventually make it somewhere (and if you’re lucky, maybe even where you decided you wanted to be!), but time and effort will have been wasted in the process. Most organizations have leadership teams with a clear idea about where they want to be, but it’s also true that not everyone shares the same priorities in the same way. They also may not be aware of what their peers are doing on a tactical or strategic level.
A vision for your GRC program needs to be clearly articulated so that the people required to support it can understand why it is important (how it contributes to or supports the corporate objectives), and what needs to be done. Once the ‘why’ and ‘what’ have been established, then the ‘when’, ‘where’, ‘how’, and ‘who’ can be defined.
For many organizations, risk management really boils down to a combination of processes supported by various technologies that implement controls that help handle events. The processes are mostly a blend of manual activities using spreadsheets to collect and manipulate data received from systems and other tools. This approach has a finite lifespan due to the unwieldy nature of managing related data in unrelated spreadsheets, especially in large and dynamic companies.
As organizations with this mode of operation attempt to scale vertically (to handle volume) or horizontally (to handle additional use cases), they soon encounter frustration. There starts to be doubt in the quality and transparency of data that is relied upon routinely to make important business decisions. Once that erosion of trust starts, it’s extremely difficult to regain.