CIOReview
CIOREVIEW >> Compliance >>

Guiding principles for Transformation of an IT GRC Program

Darrell Coleman, VP, International Regulatory Compliance, DynCorp International
Darrell Coleman, VP, International Regulatory Compliance, DynCorp International

Darrell Coleman, VP, International Regulatory Compliance, DynCorp International

Governance, Risk, and Compliance, or GRC for short, refers to a company's coordinated strategy for managing the broad issues of corporate governance, enterprise risk management (ERM) and corporate compliance with regard to regulatory requirements.

For a modern IT department to function effectively, as a compliant organization, it must be fully integrated into the corporate GRC program. Therefore, a department embarking on a transformation to a fully integrated department must integrate GRC in from the birth of the effort. GRC simply cannot be added at the end the transformation effort; rather, it must permeate it. Buying a tool to solve your GRC problems is putting the cart before the horse.

For example, if you don’t have a risk assessment, buying a GRC tool is not going to give it to you. A GRC program allows you to pull together policy, compliance, risk, remediation, data archiving, and reporting information all into one tool.

The following four guiding principles for a successful transformation are:

1. Establish fully resourced organization(s) early in the transformation process.
2. Identify stakeholder and define roles.
3. Ensure unity of effort around a compliance framework.
4. Accelerate training, assessments, and education.

Guiding Principles for Transformation: Additional Details

1. Establish standing and fully resourced organizations early— Modern operations require capable and resourced organizations to train and operate effectively. This includes full integration of GRC and IT operations, which has proved to be key to outpacing accelerated operations cycle. Organizations must be established early in a transformation effort. If possible, contingency funds should be set aside to address unforeseen events that cause the transition costs to increase.

Transformation should be driven by company culture

2. A compliance framework is a structured set of guidelines that details an organization's processes for maintaining in accordance with established regulations, specifications or legislation. Identify shareholders and define roles—The effort required to effectively manage the transformation—including establishing requirements and managing budgeting and acquisition processes—is a full-time job for a senior leader. In the same way, training employees to operate jointly, and then employing them effectively, requires an equal full-time level of effort.

Every member of the organization must participate in risk management

3. Ensure unity of effort - Effective operations—and effective CIO oversight—requires clear lines of authority and accountability. There must be cross-department collaboration to be successful. Individuals must understand to what specific person they are accountable for a specific operation or other task. Establishing clear objectives and creating clear plans for meeting them is essential to getting various parts of the organization to move in the same direction (unity of effort). To promote coordination, reduce duplicative efforts and foster better understanding, the CIO must share their plan with all stakeholders.

Every member of the organization must participate in risk management

4. Accelerate training, assessments, and education—Training brings value when completed appropriately and as is educating employees on the importance of compliance. Constant messaging keeps the transformation and the desired outcome in front of the employees. Effective transformations can only occur if organizations prepare, train, educate and assess for risk not only in advance but consistently through the transformation.

In order to evaluate readiness and identify needed changes an enterprise Risk Assessment (See Risk Matrix below) must be done. There are several risk registers online to choose from and the only real requirement is a register identifies common strategic risks and catalogs them according to risk and risk types. The ultimate purpose of the risk assessment is the identification and analysis of discovered or known risks and to prepare for risk mitigation. Mitigation includes reduction of the likelihood that a risk event will occur and/ or reduction of the effect of a risk event if it does occur.

Risk management is a continuous, forward-looking process that is an important part of business and technical management processes.

Risk Mitigation is a systematic risk management practice which involves identification of risk, analysis, prioritization, planning, mitigation, monitoring and communication that result in a reduction in the extent of exposure to a risk and/or the likelihood of its occurrence.

Risk monitoring is the process which tracks and evaluates the levels of risk in an organization. As well as monitoring the risk itself, the discipline tracks and evaluates the effectiveness of risk management strategies.

You must monitor the status of each risk periodically and implement the risk mitigation plan as appropriate

Finally, Risk Assumption is the last resort. It means that if risks remain that cannot be avoided, transferred, insured, eliminated, controlled, or otherwise mitigated, then they must simply be accepted so that the transformation can proceed. This implies that the risks associated with going ahead are less than, or more acceptable than, the risks of not going forward. If risk assumption is the appropriate approach, it needs to be clearly defined, understood, and communicated to all stakeholders.

Risk is a given every day you open your doors for business

Brian Schwartz, PwC's U.S. Performance Governance, Risk and Compliance leader said, "Undertaking a systematic review that determines what aggregated level of risk a company is willing to take on—and ensuring that all business units understand those limits— remains a central tenet of risk management leadership."

See Also: Top GRC Technology Companies 

Read Also

Unclogging the Branch and Call Center Traffic Jam

Unclogging the Branch and Call Center Traffic Jam

Edward Vidal, Director IT Service Management Office, Memorial Healthcare System
Real-Time Analytics: The Future of Higher-Education Digital Marketing

Real-Time Analytics: The Future of Higher-Education Digital Marketing

Joe DeCosmo, Chief Analytics Officer, Enova Decisions
The Future of Computing: Hype, Hope, and Reality

The Future of Computing: Hype, Hope, and Reality

Bill Reichert, Partner, Pegasus Tech Ventures
Asset Management: Building a Foundation for Smart Decisions

Asset Management: Building a Foundation for Smart Decisions

Elizabeth Young, GISP, City of Fort Worth
How to Attune your Business using Big Data Analytics in a Newly formed Covid19 Environment?

How to Attune your Business using Big Data Analytics in a Newly...

Aleksandar Lazarevic, VP of Advanced Analytics & Data Engineering, Stanley Black & Decker
How to Achieve a True Internet of Things (IoT) Implementation

How to Achieve a True Internet of Things (IoT) Implementation

Jolene Baker, Sr. Manufacturing Intelligence Specialist, LSI Logical Systems