I have had the pleasure of working in the governance, risk and compliance (GRC) space for some time now, and one simple question that continues to come up is, “where do we start?” If you’re just starting your GRC journey, when you survey your landscape you’ll likely find contrasting personalities, specialized nomenclature and inflexible technology systems. Aligning operations and processes that have operated independently is no easy feat!
If you’re interested in optimizing your business operations through GRC, but feel immobilized as to what the next steps are, this blog post is for you. Based on my experiences in the industry, I’ve found the following five steps (all industry-neutral) to be the critical tasks to complete as you kick off your program.
Step 1: Just start
This sounds easy, but it’s not. Most organizations choose to either ignore GRC or overthink it. If they are following the “overthink it” style, companies choose to pursue the perfect instead of the possible. Low hanging fruit is ignored in exchange for picking all of the apples off the tree in one single action.
This approach leads to paralyzing questions that include overly detailed thoughts on how to start, where to start and with what technology product (or products) to use. If left unchecked, you will find yourself holding the same Tuesday AM meeting for years with nothing tangible to show for it. If you don’t aim for something, you won’t start anything, and things only will be getting worse. Find a foothold and start the conversation around how to make that niche of the business a better place. You’ll be glad you did.
Step 2: Get Out There
A GRC program cannot be developed inside one office. You’re going to have to get out there, talk to your colleagues and find out what’s going on. Even the most finely crafted diagrams, dynamic slide shows and balanced budgets will fall on deaf ears if you don’t deploy your soft skills to help win over your colleagues. I have found that the easiest way to break down resistance and barriers is over food – seriously. Invite your fellow compliance team member out to lunch or reach across the floor and invite your friends in the Enterprise Risk Management group out for some BBQ. (I’m from KC, so this works for me. Insert the cuisine from your neck of the woods if BBQ isn’t for you.) Lunch meetings are disarming, personal and time bound – there’s always a natural stopping point. You’ll be surprised by what you learn.
Once you have a good feel for the thoughts and opinions of your colleagues across the office, a good way to maintain your momentum and to stay informed is to start a GRC Review Board. This sounds like more bureaucracy, but it’s more like a neighborhood gathering. Invite everyone who has anything to do with GRC within your company. This means everyone from Policy Owners to Internal Audit, Enterprise Risk Management, Legal, Sourcing, Compliance, Incident Response and Business Continuity – all are welcome. Stick to an agenda and establish regular meetings at least quarterly. GRC is a collaborative, team effort; people will want to be included, and again, you’ll be surprised by what you learn.
Step 3: Coordinate Your Activities and Communicate
If you’ve been to an air show, no doubt you’ve seen expert pilots flying in beautiful formations. This only happens because each pilot knows what the other pilots are doing and why. This last point is important: the why. When you align different corporate systems, change processes and alter the way people work there’s going to be resistance – even from the most flexible and optimistic team members. There will be a point where your program goes from theory to reality, and that will be your moment to not only implement your changes but also sell your changes.
During the “sell” phase, no one wants the answer, “because that’s just the way we’re going to do it.” Make sure you explain the why behind the changes: why will it done that way; why these changes are a priority; why people should care. People are far more receptive and likely to do the right thing if they know the real story.
Be honest too. If the new approach involves slightly more work, don’t obscure this fact; your team members are going to find out on their own anyway. For every negative, highlight the positive trade offs. In many cases the additional work is on the front end. Communicate the fact that the first few months may be a little challenging, but once things are up and running, things will be much smoother, faster and efficient.
Step 4: Equip Middle Management
GRC training delivery is critical. We’ve all taken some form of mandatory web-based training. While we can agree that web-based training reaches the largest number of people, I think we also can agree that most people will try to just check the boxes and complete it as quickly as possible.
To combat this sort of complacency, companies rely on middle management to drive home the corporate message. For this to work, you must equip your middle managers with the facts, reasoning and benefits of the changes so they can properly educate and inspire their teams.
Remember: A poorly equipped manager can undo 18 months of work with a single snide remark or eye roll.
Your employees will pay far more attention to their direct managers than they will to an online quiz. If you equip managers with the information they need, most risk and compliance education issues will take care of themselves. A manager who leads by example and encourages employees to do the same is an invaluable asset.
Step 5: Encourage Feedback
Your GRC program will not take off overnight. It will require adjustments and refinement over time. The best way to make these adjustments is to solicit frequent and honest feedback. Make it easy for people to provide feedback, and perhaps even consider implementing a rewards program for participation. Above all, make sure you are creating an environment that makes people feel comfortable and appreciated when providing feedback, as far more people will remain reticent than cry wolf.
Making a Soft Landing
These steps are not all encompassing, but they do represent key stages in your GRC deployment that should not be overlooked. The common thread throughout each step is your people. GRC is about collaboration – not of technologies or data – with your people. By bringing the wisdom and talents of various disciplines together, your organization can improve its performance and become more than just the sum of its parts. Successful change agents and GRC evangelists possess excellent soft skills and invest time every day in building and maintaining relationships. As you prepare your program for takeoff, reflect on these thoughts and start your dialog. There’s no time like the present to jump out of the nest.
–Chris Pantaenius, Principal and Founder