PREVIEW: Chapter 8 – Essential Components
Chapter 8: Essential components (excerpt)
A mature Risk Intelligence program is not about just one thing in isolation. Instead, it is a collection of people, processes and technology, with the right mix based on an organization’s level of maturity. It is also about culture and adoption, sponsorship and support. These are the essential components of a GRC program and this chapter will focus on each of them.
Any one of these topics could be expanded upon ad infinitum, so these brief perspectives are really to kickstart your thinking about the state of your program and whether or not these components have the appropriate level of focus and priority.
Without people we likely wouldn’t need a GRC program! Even with advances in artificial intelligence, people will still be a required component of any risk management program for the foreseeable future. People provide the majority of interpretation of situations, events, information, and results. People are also the reason why so may controls are in place at all. Because the human element is so unpredictable, “what if” planning is largely tied to situations created by humans.
People fall on a spectrum. On one end, some people follow rules with mechanical precision and little deviation, and on the other end you have a predominant creative side where processes are abandoned in favour of free thinking. This spectrum creates the biggest potential for risk, but can also be the source of differentiating approaches to conducting business and taking products and services to market.
The key here is understanding what type of people are in a particular function or role, and adjust either the program or people assignments accordingly.
The component of “process” likely has as many definitions as it does methodologies. I believe that a common definition can be agreed upon, even if the wording is slightly different. If we state that “A process is a collection of functions, activities and instructions that produces an expected result”, then it is realistic to expect that the process is streamlined (efficient), and that it yields the expected result (effective), and produces some level of value (impact) to the organization.
Being a pragmatist, I work backwards when defining or designing new or updated processes. I believe it’s important to first identify what strategic or tactical objective a process will support. By doing this first, we can defend allocating time and money toward it. You don’t always have to describe an impact statement with every process, but as an organization matures, it is good practice to do so.