What Are Other People Doing? Maybe You Don’t Want to Know
By Evan Stos
After nearly a decade in GRC software consulting, I’ve seen and heard a lot. In fact, I often hear the same things over and over. Some of these recurring phrases make me smile with delight—sort of like running into an old friend you haven’t seen in a long time. Unfortunately, there are other phrases that cause the polar opposite reaction, sort of like running into an ex-girlfriend.
I have a running list of these recurring phrases (there are quite a few), and I’d like to share two of them with you: specifically, my favorite and my least favorite. And since I think I read somewhere that it’s always better to lead with bad news (or maybe it was the other way around?), I’ll start with my least favorite:
“What are other people doing?”
Full disclosure, just typing that made me cringe a little bit. Other equally cringe-worthy variations of this phrase include:
- “How are your other customers handling/implementing this?”
- “Do you have other customers in (insert industry here) that are doing Risk/Policy/Audit/Compliance/etc. Management? If so, how are they handling (insert issue)?”
- “Do you have a template for how this should be implemented based on your past experience?”
Why do I dislike that phrase the most, you ask? Simple: Because no two organizations are the same. For example, I’ve implemented Risk Management solutions for two different companies in the exact same industry. The primary goal for both of them was the same: To forecast and evaluate risks and identify procedures to avoid or minimize their impact. (Hopefully you’re still with me, because I realize that last sentence was pretty dry and rehearsed, as it should be since it’s literally the definition of Risk Management.) That isn’t to say that there aren’t best practices in place regarding how an organization should forecast and evaluate risks. Of course there are! However, those best practices are simply guidelines, not the ironclad law. Ultimately, how an organization arrives at these best practices will be nuanced.
Going back to my example: Despite being in the exact same industry, both customers had noticeably different thresholds when it came to what they considered a “High” risk vs. a “Very High” risk. If Company A had simply said, “What are other people doing? Let’s do that,” it wouldn’t of been an accurate evaluation of their risks. Simply put, the question shouldn’t be “What are other people doing?” but rather “What are we doing today (or need to do in the future) that helps us achieve these best practices?” Granted, asking the second question requires more critical thinking and creativity (gasp!) and is tougher to answer, but in the end you’ll be better off for it.
And now, my favorite phrase to hear while doing an implementation:
“We may not have all the answers right now, but we have to start somewhere!”
This kind of pragmatic thinking is music to my ears, especially in situations where a customer’s business process dates back to the Reagan administration and has barely changed (no, I’m not exaggerating) or where a customer is starting from scratch. In both situations, trying to “boil the ocean” with the newly acquired shiny toy (the GRC platform) often happens. In my experience, I’ve found that putting one foot in front of the other and trying to solve a few problems at a time helps in two ways:
- It helps demonstrate “quick wins” to your end users and management team.
- It helps key stakeholders maintain their sanity, as overhauling an antiquated (or virtually non-existent) process can be quite the undertaking.
As an added bonus: The most humorous phrase (to me, anyway) that made my list was, “This tool is going to solve all of our problems, right?” For the answer to that one, check out Jason Rohlf’s post, “A Hammer Does Not Build a Home.”
Image Source: i.redd.it/f0c9vo3we1fx.png