Two reports crossed my desk recently and I wanted to highlight a few action items based on their findings. The first is based on data provided by Deloitte that centered on financial institutions entitled “Growing Confidence (The smart way to manage governance, risk, and compliance)“. The second is by the IT Policy Compliance Group that included more than 2,600 organizations in the study.
Deloitte supports that GRC is a subset of a greater necessity for organizations and therefore it requires to be fully integrated into the organizations culture. Specifically GRC goes beyond simple pizza box solutions and revolves instead around the people and behaviors. In addition, the report strongly supports the concept that through the usage of risk management techniques organizations can take “risk intelligent” actions in the market place that otherwise couldn’t be possible – or could be done, but result in failure. The Deloitte “book” is very easy to read and nicely broken down. Definitely worth the time of anyone concerned with raising their business above simple technology problems to technology innovation. GRC and governance of technology services must strive to move beyond simple change tickets to enhancing business value to the customers.
The 2008 report “IT Governance, Risk and Compliance – Improving Business Results and Mitigating Financial Risk” provides a nice breakdown of practices and a basic maturity grid based on their findings. The report also builds upon prior years results, so a comparison between your organization across similar time periods is possible.
Action Items to Improve TODAY:
- What gets measured gets improved – establish ANY form of measure (scorecard, six sigma, 360, etc…) and have a set number of metrics that are published to the entire business. This will ensure that progress occurs and that feedback allows for adjustment to metrics that matter
- Sponsorship must include all lines of business leaders, and the senior management – the net effect of these improvements will lower cost, allow for more agile deployments into new markets, and provide revenue generation opportunities (this is not the responsibility or focus of technologists)
- Establish a clear feedback process where metrics (as stated above) and services are reset regularly to meet the demands of the business (Revolutions in production from factories to services are constant, and only those that evolve with the trend remain relevant)
- In 2000 companies had their stock ticker symbol streaming across the walls… today they are gone b/c that is not a true reflection of the efforts and improvements of an organization – do not fall into such trap: publish metrics that relevant to those that are concerned (customize them based on the audience)
- Embrace automation and customization to match the culture of the organization and achieve a level of confidence as the business transforms beyond its defined borders and walls
James DeLuccia IV