Many organizations are facing a set of challenges with regard to governance, risk and compliance (GRC)-related processes, technologies and overall programs embedded within their IT and business enterprise architecture. Problems arise because organizations manage multiple decentralized GRC programs, deploy and misconfigure GRC technologies, and misalign GRC policies and procedures with business strategy. To overcome these issues and increase the maturity of the GRC program, management should go through a regular assessment of the GRC program to define the as-is state and tweak it to align with the to-be state (target operating model).
An effective and mature GRC program is one that has proper business requirements as well as the right blend of automation and technology support. If you want to increase the maturity of your GRC program, then the following 4 steps will allow you to build a road map and a business case to create and implement the right GRC operating model, eliminating any pain points the organization might be experiencing today:
- Define compliance, business and IT future-state requirements.
- Identify future-state requirements by assessing the functional and technical design principles across the legal, compliance, business and IT scope dimensions.
- Rank the gathered target-state requirements to facilitate their prioritization and to determine the desired (i.e., nice to have) vs. the required (i.e., must have) GRC program operating model key requirements.
- Perform the automation and technology fit, costing model and value return assessments.
- Identify the GRC technology solutions that will meet your key requirements based on your current and proposed GRC technologies and functionalities.
- Develop a costing and value return model that accounts for the impact on technology, data, people and processes for the solutions identified.
- Develop and socialize the business case and road map.
- Create a dynamic business case that can be used as an operational tool to document program operating model and success factors.
- Identify a path (i.e., a road map) for building out the target operating model, including project scope, timeline and technology deployment plan.
- Test and verify the GRC target operating model.
- Verify the functionality and performance of the GRC target operating model by working with business and IT organizations.
- Define and execute the go-live procedures through working with the GRC program stakeholders and deploying the new technologies, data model and processes.
Effective GRC and risk management programs are critical to business operations, allowing stakeholders to appropriately understand and respond to overwhelming regulations and business policies.
Assurance leaders need to assess the maturity of the organization’s GRC program regularly and create a program that aligns with the business strategy. In my experience, creating a point-in-time maturity assessment across the 4 steps outlined here is a great way to evaluate the effectiveness of a GRC program.
Mostafa Elghazaly, CISA, CRISC, CISM, CGEIT, CDPSE, is an experienced management consultant, content writer and the founder of Signify Solution LLC, which provides technology strategy, risk management and portfolio management consulting services. Elghazaly can be reached via email at mostafa@signifysolution.com and on LinkedIn at http://www.linkedin.com/in/mostafaelghazaly/.