March Madness: Picking Your GRC Priorities


Your GRC picks don’t have to be shredded after a bad first round. Learn what questions you can ask to better sequence your GRC deployment.

The productivity drop you felt last week can only mean that March Madness is upon us. For Americans, the last half of March means we all become sports analysts – predicting the outcome of college basketball games for teams from Spokane, Washington to Fort Meyers, Florida. Each year, my coworkers, family members and even my neighbor’s children fill out their brackets to see who can make the most accurate picks across the 63 games of the NCAA basketball tournament. (I’ve never been a fan of counting those “play-in” games).

Each of us has a different method for making our decisions and we all leverage a different body of knowledge. Some of us reference actual knowledge of college basketball coaches and players, some look up stats and win/loss records, some “crowd-surf” the tournament and make picks based on popular opinion, while others (particularly the kids that get involved) make picks based on team mascot “awesomeness” or best color. (The kids have a point; in real life you’d always go with a Cowboy over a Duck, right?)

Picking the Right Horse
Recent history shows that almost no method has a proven track record for picking teams in the NCAA tournament. In 2011, only one person – a school librarian – correctly guessed the final four teams; her method was less than scientific. Even though it generates a wide range of outcomes, the typical bracket selection process is simply a binary decision-making activity. We weigh several factors into our decisions (some basketball related; others not so much) and determine the ideal answer to each question (game).

In the realm of GRC technologies, we also are faced with a wide range of choices to make as well, especially when we are at the early stages of automating a company’s processes. Time and resources are finite, but the demands to integrate complementing processes are high. The long-range goal may be for a wide range of automated processes and procedures, but if you’re starting with a lengthy list of options, it can be challenging to determine which one(s) go first. This poses the question:

How do we decide which process is the best candidate for automation?

Often the question goes beyond which process provides the most value for the least financial cost. “Cost” can be much more complex than just the financial obligation. Organizations should also must consider the following factors:

  • Resource availability (internal and third-party) – will the right people be available to provide insights into the deployment?
  • Process integration options – what other systems may need to be consulted prior to an implementation?
  • Quantifiable benefit to the organization – will the difference between manual and automation provide enough difference to be worth the investment?
  • Prerequisites – what needs to be in place prior to any new development?

Making the Best GRC Selections
If your team prefers managing your GRC initiatives in a sequential fashion – as opposed to all at once – using a bracket-like (and by that I mean an orderly approach to selection), decision-making process may be of help. Remember, not everything can happen simultaneously at the beginning. Ease your way into your deployment. Place a variety of options on the table for a finite number of positions. If you are currently looking to determine which area of the business or which GRC process gets priority on your upcoming technology implementation, you can aid your picking process by incorporating the following four questions:

  • Are there “quick-win” business processes that can be deployed?
    Often, the smaller, “quick-win” business process implementations are the most effective starting points for building interest in an integrated GRC platform. A quick-win process typically has a small footprint in the organization (meaning it is not managed by a 12-member, cross-functional committee) and lacks any noticeable automation. In this engagement, you can likely make decisions nimbly as there are fewer key stakeholders to navigate and demonstrate rapid benefit as you take a spreadsheet-based, or perhaps even paper-based, process and convert it into a central online system. A solid, successful deployment of a small-scale process helps paint the GRC environment in a positive light and can generate buy-in and support for the overall program.
  • What business processes affect the largest area(s) of the business?
    Building from your success with a small focus, you can now continue your momentum and branch out to broader processes. Ask which processes will improve the lives of the largest amount of people. Usually these processes will garner the most support from your stakeholders and will usually provide the greatest benefit in overall user productivity and allocation of resources.
  • Are There Any External Demands Pressing the Organization?
    Is there a regulatory requirement your organization is under the gun to meet? Are there a series of audit findings that need immediate attention? Be aware of the immediate needs of your organization and be sensitive to how some compliance needs influence the selection process for determining the best process to automate.
  • Do any business processes require prerequisite GRC implementations?
    Proper planning is key to any new GRC implementation. In partnership with the previous question, you need to make sure you sequence your processes in a logical manner. It’s helpful to draw up a diagram of processes and their dependencies to understand which items depend on each other. For example, it won’t do you any good to automate your Policy Exceptions process if you haven’t taken the time to put your actual policies into the system. In order to make the most of your time and resources, GRC leaders need to prioritize their work to avoid any unplanned hiccups.

These questions are just a framework for helping you make your decisions. When used in partnership with your understanding of the people and standing of the organization, you can make a sound selection in determining what the best fit for your team is.

Cutting Down the Nets
Like with any NCAA bracket picks, there will always be surprises. Sometimes a small process may come out of nowhere and end up being a beast of a project to manage. Many stakeholders that start the project highly engaged, lose interest over time. Don’t let this disrupt your momentum or knock you off your game. GRC implementations are marathons, not sprints. Unlike a basketball tournament, GRC is not a one-and-done affair. Even if you have a mediocre first round, learn from the situation and come back stronger.

–Nick Butcher, OrangePoint

This entry was posted in GRC Consulting, GRC Technology Implementation and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s