IRM vs. GRC: What’s in a name? And what does this all mean? For many it means learning a new language and making old terms taboo. For others it means straddling both sides of the fence. And for others it doesn’t mean very much at all. Jason Rohlf explains.
In jury selection, the prosecution and defense ask tough questions not because they want to embarrass people. They simply want to find 12 jurors best suited for the case. And so it goes in GRC consulting. We must ask difficult questions of our clients and ourselves. We must speak the truth in our answers. And we must be willing to accept the truth (even the hard truth) from our colleagues. That’s how we bring value to our engagements and continue to improve ourselves.
When our customers are establishing ERM and Policy Management programs within Onspring, the question of “who owns these risks/policies/controls?” comes up time and time again. Unfortunately, finding the right people to own process-level or content-level items can be quite challenging.
Your organization must place its primary focus on the execution of the critical GRC processes that have been vetted and validated. That said, as you ride the ebbs and flows of your business, it is crucial to perform periodic assessments of your processes to make sure it’s giving you what you need. Keep in mind that this does not merely involve reviewing your process documentation, making a few tweaks, and calling it a day. Rather, you should focus on asking yourself some tough questions.
Too many decision makers purchase a tool based on the fact that it “can” automate GRC/other business processes, not on “how” it does it for your organization. Just like buying a volume maximizing shampoo will indeed clean your hair…beware the unintended consequences.
I recently had the pleasure of co-authoring an E-Book with GRC consultant and “process whisperer” Dan Plato. Dan was one of our most dynamic speakers at Onspring Connect 2017 with his presentation on solution design best practices. We’ve packaged up those best practices, along with a set of templates and samples, into a guide that’s available free on our website.
I have a running list of recurring phrases in GRC (there are quite a few), and I’d like to share two of them with you: specifically, my favorite and my least favorite. And since I think I read somewhere that it’s always better to lead with bad news (or maybe it was the other way around?), I’ll start with my least favorite: “What are other people doing?”
An application built into a GRC platform to facilitate a business process will never truly be “finished.” When you first implement a business process, think of it like you would a software product. What you just implemented is essentially “version 1.0.” Over time and through repeated end-user exposure, users will request updates. Some of those updates will be minor, like adding a value to a dropdown list, and some will be major, like completely overhauling users’ access.
For those of us who live in the GRC consulting world, birthday milestones are a bit like project milestones. Some are big events. Some are barely noticed. Some are cause for celebration. Others are simply a jumping-off point for the next big thing.
When I’m asked the “How do you compare?” question or one of its many derivatives, I simply respond as follows: “To be honest, I don’t really have any experience with Product X, and anything I’d tell you would just be hearsay, so I can’t honestly make that comparison. Instead I’d like to hear about your goals and objectives so we can figure out a way to leverage Onspring to help you accomplish them in the best way possible.” Period.
If I showed you a picture of a Sasquatch or a unicorn, chances are you would be able to identify them almost immediately. That is to say that nearly everyone knows exactly what they are even though they haven’t been proven to exist. In most cases, the “Fully Integrated GRC Program” fits within the same category. Anyone that has been working in GRC recognizes the concept immediately, but chances are there’s no proof that integrated GRC is fully alive within the organization.
Because I do believe there is wisdom within our traditional proverbs, I’ll take this opportunity to invoke some of my favorites and put them into terms that might prove useful when applied to challenges in the realm of Governance, Risk and Compliance (GRC).