PREVIEW: Chapter 4: What first?
Chapter 4: What first? (excerpt)
So, you’ve agreed on a vision, you have buy-in from executives and business groups to start moving forward, and you’re anxious to get to the first milestone… but what exactly is that milestone?
It’s time to start identifying the tactical priorities required to achieve your objectives. For example, one of your objectives may be to “Establish an enterprise risk management framework”, but what does that mean to those who are charged with making it real?
Regardless of what corporate objective has been selected to be part of the first work package, there are things that the organization must put in place, and decisions that need to be made, to ensure a successful GRC program. The business groups operating the business, the technology groups supporting the processes, and the management and staff who participate in the program need to be aligned. So let’s start with understanding who’s on your team, and go from there.
I ask my clients at the beginning of each GRC implementation what they see themselves doing as it relates to the program. Some clients see themselves being users of the solution, and some see themselves being caretakers and developers of their solution. This is a tough question to answer honestly, and if you really think about the implications, it could mean the difference between a successful deployment and one that will fizzle and wither away to a memory. Their answers will help determine where core competencies lie in your organization, and how you can leverage them during various phases of the program.
There are also special skills that may only be required for a short period of time during a long program, so using subject matter experts (SMEs) is often a good way to leverage the precious in-house resources you have at your disposal. These SMEs from outside organizations can actually save money in the long run, since they have been through these large program rollouts before and can arm your team with insights and methods that produce predictable results.