Recently, I had the opportunity to gain some new perspectives and completely change surroundings. Not only did I transition to a new client, but I made a geographical move across the country. New office, new client coworkers, new breakfast and lunch locales – even a new time zone! I’ve traded in all of my routines for a fresh start, and to be honest, I couldn’t be happier. I’ve learned a variety of new things about myself that I would not have been able to do had I stayed in my old surroundings.
When in the middle of a GRC technology implementation, it’s easy to lose sight of the big picture. While we spend time checking off the business requirements, if we’re not careful we may be solving for trivial problems and missing a chance to add real value to the organization. If not written well, requirements documents become just a “wish list” of levers, dials and knobs aimed at simplifying existing aspects of the overall process. The core process is never questioned; the job of the new system is just to “clean it up” or “make it smoother.”
Step Back to Step Forward
If you’re taking the time to move from a manual world to an automated system, don’t waste this opportunity. Step back, look at the whole picture before diving head first into an implementation. To help you get a new look into your GRC activities, here are three action items you can employ to help you see new insights you may have missed:
- Tighten Your Goals
To gain a better perspective on your project, devote time to outlining what success should look like. If the overriding objective of your project is just to, “make it better,” it’s going to be tough to measure you’ve done. With GRC processes, the easy way out is to use power verbs – centralize, optimize, harmonize – as goals and avoid the accountability that comes with goals such as “reduce the manual effort by 20%.” Where possible, try to quantify what you are looking to accomplish. By rethinking and reflecting on what determines a gold-star implementation, you can cast a better vision for your GRC program.
- Talk Through the Process
Great automated GRC processes have a story. Your data is going to go on a journey, and your stakeholders will be the actors and influencers. Hold a meeting with the key people for your process and have everyone talk through their current and desired role in the data flow – start to finish. By having your team members openly discuss what they will be doing (or desire to be doing) everyone can get a 360-degree view of what will be happening. These sessions likely will expose the group to the differing perspectives brought to the table by the various teams. For example, it’s easy to assume what the Information Security team is thinking when they review the results of a vendor self-assessment, but it’s another thing to hear the thought process that goes on when your IT person talks through what he/she does. In addition to awareness, use this session to identify areas of the process with potential bottlenecks (too few team members, too many demands on a single individual, etc.) and redundancies (two people charged with doing very similar tasks).
- Test with New Eyes
After weeks of discussions, configurations and review, it’s hard to bring a clean and fresh perspective to your automated process. Testing is not a phase to simply validate that dropdown lists have the right options and graphs display in the desired colors; it’s also an opportunity to determine whether you’ve achieved your goals. Is the process easy to use? If you set quantifiable goals, did the process actually, “reduce manual effort by 20%?” The people that have lived and breathed this endeavor may not be the best measure of whether this has been achieved – they are bringing in assumptions and knowledge, gained from the development meetings and discussions – that other users of the process won’t have. While your stakeholders will obviously be involved in the review, don’t forget to bring in new people to the process. New testers will be better able to look at the whole picture. They don’t, for example, automatically know where the “Submit” button is. By watching your testers carefully and listening to their comments, you can add a variety of fine tunings to your process and approach. Also, don’t wait until the very end to conduct your first test. Leave time in your project plan so you have the chance to make changes and implement any reasonable recommendations. Getting excellent ideas and feedback two days before your “go live” doesn’t do anyone any good.
One Last Perspective
While you don’t have to uproot your life to enhance your point of view, it’s beneficial to invest time to pause and look over your current goals, plans and activities to see if your actions are still taking you where you want to go. Allowing ourselves to grow professionally from these experiences is one of the greatest tools available. It is these new viewpoints that keep us on our toes, and allow us to learn how to improve both our processes and ourselves as professionals.
–Nick Butcher, OrangePoint