If I showed you a picture of a Sasquatch or a Unicorn, chances are you would be able to identify them almost immediately. That is to say that nearly everyone knows exactly what they are even though they haven’t been proven to exist. Now don’t get me wrong, I’m not here to discuss my hair-brained theories on Bigfoot and Unicorns. . . I’ll save that for another blog post. My point is that over the past 5+ years of implementing GRC programs and solutions for various companies, I’ve found something that is seemingly just as mythical, often heralded by the following statement:
Our company’s differing departments operate in silos. We not only want these silos to work together to increase efficiency, but in many cases we want their business processes to be fully integrated with one another using this shiny new GRC program/tool we’re rolling out!
How does this relate to Sasquatch and Unicorns, you ask? In most cases, the “Fully Integrated GRC Program” fits within the same category – anyone that has been working in GRC recognizes the concept immediately, but chances are there’s no proof that integrated GRC is fully alive within the organization. Plus, it’s a tall order to think that the desire for GRC cooperation and a new piece of software, simply just by existing, will magically overcome the status quo. Most businesses don’t turn on a dime, and changing the culture requires more than the enchantment of a single GRC kickoff presentation or a new technology platform. From my perspective, to have a fully integrated GRC program, there are three major obstacles to overcome.
- Obstacle #1: Lack of a Champion
If the content doesn’t already exist in your GRC tool of choice, then you aren’t going to be able to integrate your business processes. This is why the champions of your GRC program at your organization (the primary internal stakeholder spearheading your GRC program) should always be cognizant of integration points with existing processes as new processes are rolled out. Integrated GRC has to have an internal champion that has connections across the enterprise. Who within your organization has the ability to establish constructive meetings with people from the far reaches of the organization? Can this person get time with both the key audit stakeholder, the information security director and a decision maker from the finance team? Building bridges and rapport between these groups is critical.
- Obstacle #2: Silos Surrounded by Barbed Wire
The second obstacle is joined at the hip with the first –the majority of large organizations operate in silos. Business processes are implemented into GRC tools in the same fashion. An audit manager has a full understanding of his/her audit universe, so why would that person want to imagine how his/her solution integrates with the policy or compliance teams, areas where the person is much less familiar? Too many times I’ve heard the phrase, “I think it would be useful to integrate with Business Process X, but we can just deal with that later.” Look, it makes perfect sense that you want to take care of implementing your own business process before thinking about how it can link up with others. However, all too often I’ve seen potential integration points get pushed by the wayside. Moving from silos to integration is going to be painful, and you’re likely to get snared along the way before you can reap a lot value. However, dealing with challenges at the beginning is far less painful than entrenching your process within a GRC tool first, then bringing other people along to integrate with you.
- Obstacle #3: Building Consensus
The third obstacle seems as though it would be incredibly simple (like spotting a white horse with one horn), but it is actually the most difficult: bringing key stakeholders from these silos together to discuss (and agree upon!) integration points. At a high level, integrating business processes using a common platform sounds great; audit findings hook into company policies, which hook into risks, which hook into assets, etc. But exactly how these processes “hook into” each other is a major sticking point between key stakeholders…especially when it comes to system access! I’ve lost count of the amount of times I’ve had a conversation with two different departments sharing a common module/application that can’t come to a consensus regarding what their group can see and what the other group can’t. There has to be wise compromise among all parties for your integrated program to be successful.
Summary: Planning Your GRC Success
In summation, the onus for perpetuating the “fully integrated GRC program” vision and overcoming the three obstacles listed above ultimately falls on two roles: the GRC champion(s) of your organization and the GRC experts (either external or internal) helping to implement your business processes. By always being aware of the “big picture,” you’ll be able to integrate business processes you weren’t able to before, thus making them more streamlined and providing more value to your business as a whole. The best part is that making this happen is far simpler than trying to locate a reclusive beast-man in the middle of the wilderness.
–Evan Stos, OrangePoint