Guiding principles for Transformation of an IT GRC Program

Darrell Coleman, VP, International Regulatory Compliance, DynCorp International
259
420
82
Darrell Coleman, VP, International Regulatory Compliance, DynCorp International

Darrell Coleman, VP, International Regulatory Compliance, DynCorp International

Governance, Risk, and Compliance, or GRC for short, refers to a company's coordinated strategy for managing the broad issues of corporate governance, enterprise risk management (ERM) and corporate compliance with regard to regulatory requirements.

For a modern IT department to function effectively, as a compliant organization, it must be fully integrated into the corporate GRC program. Therefore, a department embarking on a transformation to a fully integrated department must integrate GRC in from the birth of the effort. GRC simply cannot be added at the end the transformation effort; rather, it must permeate it. Buying a tool to solve your GRC problems is putting the cart before the horse.

For example, if you don’t have a risk assessment, buying a GRC tool is not going to give it to you. A GRC program allows you to pull together policy, compliance, risk, remediation, data archiving, and reporting information all into one tool.

The following four guiding principles for a successful transformation are:

1. Establish fully resourced organization(s) early in the transformation process.
2. Identify stakeholder and define roles.
3. Ensure unity of effort around a compliance framework.
4. Accelerate training, assessments, and education.

Guiding Principles for Transformation: Additional Details

1. Establish standing and fully resourced organizations early— Modern operations require capable and resourced organizations to train and operate effectively. This includes full integration of GRC and IT operations, which has proved to be key to outpacing accelerated operations cycle. Organizations must be established early in a transformation effort. If possible, contingency funds should be set aside to address unforeseen events that cause the transition costs to increase.

Transformation should be driven by company culture

2. A compliance framework is a structured set of guidelines that details an organization's processes for maintaining in accordance with established regulations, specifications or legislation. Identify shareholders and define roles—The effort required to effectively manage the transformation—including establishing requirements and managing budgeting and acquisition processes—is a full-time job for a senior leader. In the same way, training employees to operate jointly, and then employing them effectively, requires an equal full-time level of effort.

Every member of the organization must participate in risk management

3. Ensure unity of effort - Effective operations—and effective CIO oversight—requires clear lines of authority and accountability. There must be cross-department collaboration to be successful. Individuals must understand to what specific person they are accountable for a specific operation or other task. Establishing clear objectives and creating clear plans for meeting them is essential to getting various parts of the organization to move in the same direction (unity of effort). To promote coordination, reduce duplicative efforts and foster better understanding, the CIO must share their plan with all stakeholders.

Every member of the organization must participate in risk management

4. Accelerate training, assessments, and education—Training brings value when completed appropriately and as is educating employees on the importance of compliance. Constant messaging keeps the transformation and the desired outcome in front of the employees. Effective transformations can only occur if organizations prepare, train, educate and assess for risk not only in advance but consistently through the transformation.

In order to evaluate readiness and identify needed changes an enterprise Risk Assessment (See Risk Matrix below) must be done. There are several risk registers online to choose from and the only real requirement is a register identifies common strategic risks and catalogs them according to risk and risk types. The ultimate purpose of the risk assessment is the identification and analysis of discovered or known risks and to prepare for risk mitigation. Mitigation includes reduction of the likelihood that a risk event will occur and/ or reduction of the effect of a risk event if it does occur.

Risk management is a continuous, forward-looking process that is an important part of business and technical management processes.

Risk Mitigation is a systematic risk management practice which involves identification of risk, analysis, prioritization, planning, mitigation, monitoring and communication that result in a reduction in the extent of exposure to a risk and/or the likelihood of its occurrence.

Risk monitoring is the process which tracks and evaluates the levels of risk in an organization. As well as monitoring the risk itself, the discipline tracks and evaluates the effectiveness of risk management strategies.

You must monitor the status of each risk periodically and implement the risk mitigation plan as appropriate

Finally, Risk Assumption is the last resort. It means that if risks remain that cannot be avoided, transferred, insured, eliminated, controlled, or otherwise mitigated, then they must simply be accepted so that the transformation can proceed. This implies that the risks associated with going ahead are less than, or more acceptable than, the risks of not going forward. If risk assumption is the appropriate approach, it needs to be clearly defined, understood, and communicated to all stakeholders.

Risk is a given every day you open your doors for business

Brian Schwartz, PwC's U.S. Performance Governance, Risk and Compliance leader said, "Undertaking a systematic review that determines what aggregated level of risk a company is willing to take on—and ensuring that all business units understand those limits— remains a central tenet of risk management leadership."

Read Also

Easing Compliance: Expanding an Ethical Culture Through Technology

Easing Compliance: Expanding an Ethical Culture Through Technology

Raphael Richmond, Global Director-Compliance, Ford Motor Company [NYSE: F]
Cybersecurity Risks and Why Internal Partnerships and Cross-Functional Resources Matter

Cybersecurity Risks and Why Internal Partnerships and Cross-Functional Resources Matter

Adrian Mebane, VP & Deputy General Counsel, The Hershey Company [NYSE: HSY]
Chief Compliance Officers And Cyber Security: A Match Made in the Boardroom

Chief Compliance Officers And Cyber Security: A Match Made in the Boardroom

Robert Garretson, GM, Governance Strategy, United States Steel Corporation
Avoid Non-Compliance by Getting Your SSH Keys under Control

Avoid Non-Compliance by Getting Your SSH Keys under Control

Fouad Khalil, Director of Compliance, SSH Communications Security