Sustaining Your GRC Program, After the Fireworks are Over


Have a plan for sustaining the excitement of your GRC deployment.

Firework shows are the ultimate front-loaded project; the type where it’s easy to lose sight of the long-term relationship. For two summers in my early twenties, I was a “Licensed Pyrotechnic Operator” by the Missouri Division of Fire Safety (which, if you know me, is like asking your cat to clean the swimming pool). My job description involved trekking to a variety of rural, hole-in-the-wall communities and assisting a team with blowing up a pre-determined number of explosives, without losing any appendages.

After 12 hours of work in the hot sun, the day would end with a brilliant display of color and spectacle. For many teams, the end of the show was their cue to haphazardly tear down the tubes (the launching mechanisms for the fireworks) and get the heck out of Dodge (or Thayer, West Plains, Monett, etc.), all the while high-fiving each other and talking about the great event they just created. I was lucky enough to be assigned to a team that knew better, though. To be a successful fireworks operator, it’s not just about the show.

Sustainability in the fireworks business is about the complete relationship. The person signing the check is typically a city council member or the chair of an oversight committee. The last impression of this stakeholder isn’t the show, but the conditions that are left behind after the show. Was the area cleaned up appropriately? Was trash left behind? Was the team professional and on time? Small town leaders talk; one bad impression can lead to a lack of business, both this summer and beyond.

When the Smoke Clears
With Governance, Risk and Compliance (GRC) technology deployments, it’s easy to lose yourself in the moment and focus on the “fireworks” that happen on launch day. New capabilities, fancy reports and new features are all things to celebrate. However, these victories will be short lived if you don’t have a long-term plan for sustaining your program when all the “new” simply becomes the “expected.” Based on my experiences in the industry (and borrowing from some lessons learned shooting fireworks) here are some suggestions for playing the long game with your GRC program:

  • Wire Carefully
    When wiring fireworks back to the main circuit board, keep in mind that there is a limit to what the wire can support. Crossing that limit can have potentially disastrous consequences. While over-wiring a GRC tool won’t cause you to lose a finger, it can add unexpected cost and heartache. The ability to tailor a GRC technology to meet the needs of your business process is the hallmark of many software products. The fact that you can model and manipulate the tool to meet your needs is a great feature to exploit. However, you should use wisdom when making your changes. When you make significant changes, be sure you understand the long-term impacts. For custom updates, be sure all parties have been exposed to the return on investment for the change. Is it worth automating a monthly report that used to take 15 minutes to produce if the cost is 60 minutes of monthly maintenance to the tool? Over-configuring your software may generate some front-end excitement, but it could burn through your productivity in the long run. In addition, introducing novel use cases and technology plug-ins to software can lead to errors and support issues.
  • Walk Steadily
    Don’t run with fireworks; keep a steady, even pace. Heed the same advice when it comes to ensuring the sustainability of your GRC technology. Your end users don’t like surprises. It’s inevitable that there will be updates and changes to whatever you deploy. For those changes, plan out a consistent update schedule that users can learn to rely upon. Your bug fixes, process enhancements and new features should follow a release schedule with a clear cadence – weekly, monthly, quarterly, or whatever fits with the temperament of your organization. Racing to make a fix or cram in a new feature at the last minute is going to end poorly, just like tripping while carrying multiple, 5-inch fireworks shells.
  • Clean As You Go
    When a fireworks show is over – it’s dark, really dark. It’s not fun to pick up trash at midnight, while you’re being swarmed with bugs and using the headlights of a pickup truck as your guide. While many things can’t be cleaned until after the show is over, much of the cleanup work can be completed while the sun is beginning to set. Take advantage of the down time prior to your GRC deployment (which often occurs as you’re getting the sign off to go live) to tidy up the implementation and have as clean of a deployment as possible. Write useful, task-oriented documentation. Label fields, sections and dashboards clearly, with direct and simple language. Remove the old elements that were created during the build phase that were ultimately superseded by better, more useful features. Ensure that your nomenclature is consistent – field names should have the same format, descriptions should have the same structure and layouts should have a similar look and feel across the system. Launching with a clean, easy-to-use system not only makes for more “fireworks” at launch time, but also builds confidence in your ability to deliver, thereby establishing good will with all of your stakeholders.
  • Maintain the Buzz
    At the end of every fireworks show, it’s custom to find the local leader and thank him/her for the opportunity to shoot the fireworks show. Even if the transaction is just five minutes, a professional interaction here leads to an invite for next year. Many people claim the ability to shoot fireworks, but few people have the ability to produce a show and achieve the trust necessary to maintain an ongoing relationship. When your software goes live, be sure to reach out to all of the stakeholders and offer a word of thanks. Remind them of all the new things the team has achieved and how the current state is far better than the old status quo. In addition, be sure plans are in place so that there is an ongoing conversation. In partnership with the “Walk Steadily” tip, have meetings scheduled at appropriate points to sign off on updates and new releases and to discuss the good and bad of what the technology offers. GRC is a marathon, not a sprint. Invest time to extend the buzz created with the initial launch.

The Grand Finale
While I’ve long since left the fireworks business, I have many fond memories of the shows I assisted with back in the day. During this summer’s fireworks season, if you come across one of the hard-working fireworks team members, thank them for their hard work and offer them a word of encouragement. While the evening may end with an illuminated sky, thunderous sounds and a musical crescendo, the pieces are already being put in place for an even better show next year. As you work to ensure the success of your GRC technology roll out, invest time in both your initial display, and the long-term strategy you will use for success in future years.

–Jonathan Kitchin, OrangePoint

This entry was posted in GRC, GRC Consulting, GRC Technology Implementation and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s