Building a Mature GRC Program: The Top 5 Considerations

Michael Rasmussen

Shadows haunt the organization. Today’s organization is encumbered by things like shadow processes and shadow IT. These are rogue processes and technology that get implemented in the depths of the organization without thought or conformity to a top-down integrated strategy.

The components of GRC – governance, risk management and compliance – are in every organization. My position is that every organization does GRC. It may be ad hoc, fly-by-the-seat-of-our-pants approaches. The reality is that we have shadow GRC processes that spring up all over the organization in the bowels of operations that lack an enterprise top-down coordination and strategy. 

Too often, GRC is like the Winchester Mystery House in San Jose, California.  This house was built in the 1800s at excessive costs, with no overall design or architect.  It had 147 builders that built it over 38 years with no blueprint.  In the end, it has 160 rooms, 47 fireplaces, 6 kitchens, 10,000 windows, 65 doors that open to a blank wall, 25 skylights in floors, not ceilings, and 13 abandoned staircases that go up to nothing – or down to nothing.

This is the reality of GRC in many organizations. Over the last 38 years, the typical organization has had 147 different builders of GRC doing their own thing without thinking of the broader picture. The confusion of the Winchester Mystery House are there: 160 different assessment formats; 47 different policy formats; 6 different risk frameworks/taxonomies; 10,000 documents and spreadsheets; 65 risk and compliance management report formats; and 25 different technologies ranging from spreadsheets, custom-built risk software, to commercial solutions. 

This is a reality for GRC in organizations – one financial service firm I worked with on their GRC strategy mentioned they had thousands of documents and spreadsheets for risk and compliance assessments and various technologies in place. Eighty percent of their staff time was spent managing documents, spreadsheets, and emails and not risk and compliance.

To solve this, organizations need to understand the maze of GRC strategies, processes, information, and technologies in place and architect an approach that brings greater levels of effectiveness, efficiency and agility to the business from the top (board) down into operations. To build a mature GRC program in your organization, here are five core considerations:

1. Understand your current state and build your future state.

This involves taking an honest look at your GRC processes already in place. If your organization is like many organizations, it will be a discovery of a Winchester Mystery House confusion of GRC. But you need to understand what is being done today and assess what is working, what is not working, and what is missing. From there, you can then define (architect) your future state of GRC and build a two- or three-year plan to get you there, a roadmap and project plan.

2. Gain board and executive support and sponsorship of the GRC strategy.

The organization needs to work in collaboration on GRC. Different groups doing their own thing handicap the business. Board and executive support are critical to align the organization to work together across departments on a strategy.

3. Establish a dedicated cross-functional team.

It is vital to dedicate a cross-functional team to oversee ongoing harmonization of GRC processes, integration of information, collaboration across GRC functions, and execution of the GRC strategy. This group identifies strengths within existing functions and enables other areas to benefit from them. The goal of this team is to develop a shared GRC strategy, framework, processes, information, and technology architecture.

4. Select the right technology foundation.

This is critical and often one of the big mistakes organizations make in a GRC strategy. Some part of the organization is using some tool for some remote GRC purpose, and the organization builds their strategy on it to find out it is not the right solution to achieve the long-term goal of the organization. Everything has to start over, and the GRC project fails and dies. You need to start the journey with the right equipment to get you to your defined future state.

5. Start your journey and tackle it in stages.

The organization must document and prioritize its project plan and tackle it in stages that are achievable. The organization that takes on too much too quickly fails. It is like climbing Mount Everest: You must do it in stages.

One more thing: Be prepared for change. The world is dynamic. GRC in the modern organization is like managing chaos. The organization needs to be prepared for new risks that stagger the organization and its strategy or changes like mergers and acquisitions that realign the GRC strategy. Today’s organizations need a lot of agility and resiliency that GRC can deliver to help them navigate the world around them, but GRC itself needs to be agile and resilient to deal with change.


Read Michael Rasmussen's previous posts on the board's role in leading and enabling GRC, and how to implement a top-down view into GRC along with a bottom-up operational approach.

Related Insights

The Rising Tide of ESG – Navigating the Road Ahead

video

The Board's Role in Leading and Enabling GRC

article

Board and Executive Collaboration: Components of a Secure Platform for the Evolving Workplace

White Paper
Michael Rasmussen
Michael Rasmussen, The GRC Pundit @ GRC 20/20 Research, is an internationally recognized pundit on governance, risk management and compliance (GRC) ' with specific expertise on the topics of GRC strategy, process, information and technology architectures and solutions. With 28+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures and select solutions that are effective, efficient and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the 'Father of GRC' ' being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.