ComplianceWeek has two examples of implementing ITGRC solutions in two multi-billion dollar organizations. Each interestingly deployed in two unique fashions and had different takeaways from the experience. The article speaks directly about SAP technology, but the successful GRC implementation practices apply to any organization.
In fact, evolving an organization’s risk framework through the adoption of an IT-GRC solution is a benefit to any size organization and even individual lines of business within an organization. Additional support for GRC and it’s business benefits I discussed here for additional insight, and with registration the OCEG documents are quite insightful.
A key point within the article is the focus beyond the risk and security and or compliance benefits that are generally listed for GRC. There are numerous benefits to GRC that help improve profitability, lower failure rates within operations, and enhance business communications – among other benefits. The simple reality is having greater clarity and effective automated systems is a strategic advantage in every business.
The article highlights a few specific GRC implementation tips and can be found here at this link. Below are my ‘next’ three tips to consider:
- Do your pre-planning: Just as in a marathon one does not simply walk to the start line and figure it out as they go. Similarly organizations seeking to integrate an important technology such as GRC (one that will become ingrained into the critical business operations), must consider how things should happen out of the gate. Business leaders and technologists need to identify the specific objectives, parties, and input/outputs required. Such specifics will ensure targeted project management and prevent scope creep. The secondary benefit of this adherence to a plan (and there can be many cycles where the process is enhanced continuously) is the absolute recognition of achieving targeted goals and objectives. An effect that will certainly help to maintain the momentum of the project.
- Training and Paperwork: In order to successfully integrate the technology into your organization it is necessary to know how it is currently being accomplished today, or how it should be done based on the culture and business objectives. Therefore it is best to first work through the components of the GRC program on paper and in collaborative work sessions prior to sitting down in front of an administrative console. These work sessions should produce specific ‘paper’ on how such things as permissions, authorization, business core metrics, and such are to be enabled in the application. The technical specifics of how such will be done should be considered afterward. In most cases – this type of program design can occur prior to the selection of any actual vendor product, and therefore could be used as purchasing criteria when such are defined.
- Seek Professional Help: The article highlighted the benefits of leveraging third parties to augment the business staff to successfully launch these programs. It is critical that such third parties be brought onboard for such work. In lieu of these specialty teams a business could hire individuals with deep experience in the technology and specialty. In either case – focus on experience, targeted delivery, and proper teaming with business teams; tech teams; and other service providers.
Other best practices / thoughts?
James DeLuccia IV