If you’re one of our blog’s frequent readers, hopefully you’ve come to appreciate our use of non-business illustrations to bring some clarity to the GRC world. Too often, we (as business professionals) unnecessarily complicate things with thick jargon and code words, when a simpler description would get the job done. At OrangePoint, we are big, scratch that, huge fans of using metaphors to explain the best practices regarding the architecture and development of a GRC program: Charlie Brown, Dr. Seuss, Bigfoot, and most recently, home plumbing repair. I’ll admit that I’m capable of dropping more than a few industry buzz words without even breaking a sweat, but I’m constantly working on simplifying and refining the concepts I want to convey. While I’m not sure I’ll ever arrive at a point where everything I say is instantly understood by everyone in the room, my goal is to make steady, constant improvement. As the “hook” for this blog, allow me to use a few golf parallels to describe the need for continuous improvement in GRC.
Understanding the Links between Golf and GRC
At a high-level, the objective of golf is easy enough: for any particular hole, simply hit the ball with a series of clubs until you get it in the cup. Every hole on the course is different, and some are “more different” than others – as in, nasty doglegs or desert-sized regions of sand right around the green. Also, while there is a clear path that provides the least amount of difficulty for reaching the hole, staying on that path is much easier said than done. These concepts also align with implementing a business process into your GRC technology platform:
- Deceptively Simple Objective: It seems like there’s a straightforward and fair way to set up everything, right? The data sheet even used the term “out-of-the-box.” (Of course, you may not remember seeing any box.) Simply build the fields you need into an easy-to-use, web form-based application, and then voila! Your end users are populating said fields with data and this data provides your organization with important information you can translate into GRC metrics.
- Varied Bag of Tools: Some business processes are easier to implement than others. Some have significant obstacles, whether they’re technical limitations or unruly stakeholders. Just like you’d turn to a specific club on the golf course to navigate a particular hazard, in GRC you’ll have to vary your personal tool set as well to overcome your challenges. Whether it’s your technical aptitude for integrating a legacy system’s data set with your GRC technology or your persuasive talents to obtain buy-in from a skeptical stakeholder, you have to use more than one club to achieve your objectives in the boardroom. (Don’t actually use clubs with your coworkers; remember, this post is using metaphors.)
- Clear Path to the Goal: Also, like golf, there is a path laid out for implementing a business process into a GRC tool that provides that least amount of difficulty for achieving completing the implementation. However, following it can be a significant challenge.
While these similarities are interesting, and help illustrate a few concepts, the key takeaway from this post is the following:
Whether it’s a business process built into your GRC tool or your golf game, you will never be completely done improving it.
The “Perfect Round” is a Journey, Not a Destination
While it pains me to write this: I am an incredibly average golfer. On some (read: a few) holes I never leave the fairway, while on others (read: most) I’m trying to hit from behind a tree or wishing I would’ve brought scuba equipment to retrieve the five consecutive golf balls I hit into a picturesque, well-placed pond. Because of my inconsistency, I’m constantly making a wide variety of tweaks to reduce my margin of error. These tweaks range from incredibly minor, like buying a different type of golf ball, to major, like changing how I swing one of my clubs. The point is, while the tweaks may become more and more infrequent as a person’s skill level increases, they’ll never be completely finished making changes to their game, no matter how small. Nobody, from Tiger Woods to me, ever declares “My golf game is completely flawless and has reached its ultimate apex. It no longer requires any improvement.” While many golfers make reference to the perfect round (a birdie on every hole) no golfer has ever achieved one in a round of professional play. However, it is still a goal that they continue to strive for, necessitating the need for continuous improvement.
An online form (or series of forms) built into a GRC tool to facilitate a business process follows the same mantra as the above paragraph. It will never truly be “finished;” there is always room for continued refinement. When you first implement a business process into your tool, think of it like you would a software product. What you just implemented is essentially “version 1.0.” Over time and through repeated end-user exposure, updates will be requested. Some of those updates will be minor, like adding a value to a dropdown list, and some will be major, like completely overhauling users’ access.
My point is that you’ll need a change management solution for your GRC tool that enables users to request changes (no matter how small) to deployed business processes. My personal preference is to build the change management process directly into the tool itself, but I’ve seen situations where an external change management process is successful as well. If your goal is to manage the ongoing enhancements and growth in your processes, you’ll need a way to execute the following actions:
- Capture suggestions from your users
- Record the approvals/updates to the suggestions
- Track the progress for implementing the suggested change
To improve your program, it’s necessary to monitor and measure your efforts to make changes. Formalizing your change management program allows you to gain greater insights into how your GRC program has evolved over the course of time.
Tapping It In
As we turn the page on yet another GRC-related metaphor, don’t let the lack of a defined goal post (or flag and associated tin cup) discourage you. With each enhancement, take some time to celebrate the new efficiency and added insights offered by your updates. Don’t settle with your GRC program; strive for growth and continue stretching your current abilities. Now if you’ll excuse me, I going to buy some more golf balls and work on stretching my own golf game.
–Evan Stos, OrangePoint