PREVIEW: Chapter 3: How to get there

Chapter 3: How to get there (excerpt)

OK, so your organization has held the appropriate workshops to articulate the vision, and now everyone is wondering, “How do we get there?”. I’ve worked with many organizations that had the most detailed vision that fully identified characteristics of the end state along with the overall objectives of the program, but they struggled to turn that vision (strategic) into action (tactical activities). It wasn’t because they didn’t have the talent or skills, but because rolling out a GRC program is something that is outside of their experience and comfort zone.

I would also argue that the overall vision should be broken down to sub-strategies (depending on the size of the program) that support the grand vision. These sub-strategies are what I refer to as “streams”, with each stream being a logical grouping of program components in the areas of:

• Use Cases
• Policy and/or Governance
• People
• Technology

Keeping the number of streams to a low number (ideally under six) helps maintain alignment throughout each phase of development and implementation, and therefore inherently reduces the program delivery risk.

The complete roadmap view

If you have ever used a GPS while driving from point A to point B, you can appreciate that looking at only the next turn directly ahead of you may get you there, but you don’t get a sense of overall progress, or your relative position to other things around you. By zooming out to get the rest of the map in view, you quickly appreciate where you really are in your trip. The same thing is true for using an overall roadmap for deploying a risk management program. Zoom out a bit and you’ll better understand the scale, complexity, duration, participation and budget.

By its very nature, a GRC program is an aggregator of other systems and data. It would not have nearly as much value if it was a stand-alone solution performing all the functions, mainly due to the fact that many of the functions it needs to gather data are already systems operating through your organization. A GRC program is an integrated toolset that brings information, processes, and resources together to provide an aggregated view of all these things, and ultimately helps management make better decisions. It adds transparency and traceability to instill confidence from management and regulators. That is good for business.

Chapter 3: How to get there