Eric Bonnell, Senior Vice President, Second Line of Defense Risk Manager, Focus on Privacy and Business Resilience, Atlantic Union Bank
Polaris, also known as the North Star, has been important to humanity since ancient times. Its stellar position has been used by navigators for centuries to:
• Set a standard fixed point by which all other points are related
• Understand where the destination is in relation to this standard
• Identify the map of boundaries and hazards
• Plan tactics to move from present location to the destination
• Adjust tactics when blown off the planned course
Such is strategic planning. It is knowing where we are, where we want to be, how we plan to get there with our current resources, and how to adjust when external forces change. Ancient sailors had to do the pre-work to obtain transportation, hire the crew, plan the voyage, monitor progress, and adjust accordingly.
Establishing a Governance, Risk, and Compliance (GRC) tool for an organization is no different – it is a journey and requires prework and ongoing governance to reach success. By understanding your position relative to the North Star as well as your current and obtainable assets, you have the ingredients to build your strategy and position your company for successful initial implementation.
Purpose and Company Structure
Company mission, size, and organizational structure are key elements to understand. Having clear understanding of the purpose of the GRC tool implementation will enable you to drive effective design: infrastructure hosting options, capacity planning, desired functionality, and ongoing system support model. Aside from technical considerations, it is crucial to understand the current Enterprise Risk model and maturity strategy, business inventory data sources, and business engagement model. This clarity will drive the level of business engagement required, the implementation of and relationships among GRC workflows, the level of automation that can be achieved, and the dash boarding and reporting capabilities that may be achieved.
Scope and Assumptions
Some clarifying questions to ask include:
• Will your GRC tool drive an Enterprise Integrated Risk Management program for a multi-divisional corporation or cover specific risk/compliance tasks for a smaller company?
Having clear understanding of the purpose of the GRC tool implementation will enable you to drive effective design: infrastructure hosting options, capacity planning, desired functionality, and ongoing system support model
• Is your Enterprise Risk Management function centralized, distributed, or hybrid?
• What execution boundaries or hazards might you face (e.g., cost barriers, regulatory drivers, GRC system constraints, resource and business priority challenges, etc.)
• How does the first line of defense (line of business layer) risk function, the Compliance function, and the Internal Audit interact with the Enterprise Risk team?
• Are there anticipated changes to the Enterprise Risk organization as the company matures that should be planned for during GRC tool design?
• Does the company already have mature policies, procedures, and compliance/risk frameworks in place to account for in the design process (or will the company adopt any pre-built frameworks within the GRC tool)?
• Who are the owners and stewards of each data type and how will changes be vetted and approved?
• Are the key customers and consumer of dashboards and reports identified in order to have input to the information delivered and in what format?
• Can you ingest inventory data (e.g., teammate, technical asset, business process, vendor, cost center, location, etc.) up front and, where possible, provide regular automated updates within your GRC tool?
• Is the impact of data changes from one risk function on other GRC functionality understood (e.g., will business process changes for risk assessment purposes result in scope, definition, and rework changes to business continuity plans, policy and procedures, model risk attestations, other reassignments, etc.)?
• Will the GRC tool provide performance reporting on the entire Integrated Risk Management process to identify operational gaps, subsequent automation improvements, and additional value-added reporting?
Know the Ways of the Sea
Initial GRC tool implementation can be frustrating and challenging. The initial data collection process, if done well, will be extensive. It will feel like the tool is not adding any value for an extended period of time. This is no time to take the direct path though the rapids; initial tool setup is best done along the longer yet calmer course. The long-term benefits of being initially cautious are significant. Having your asset inventories within the tool before building GRC workflow will allow you to:
• Address discrepancies in the asset inventories which will in turn add value by streamlining or enhancing upstream operational processes
• Allow the business to become familiar with the GRC tool in a safe and controlled manner, increasing long-term adoption and value
• Deliver extended flexibility and process simplicity
Now that you have your sea legs, remember that providing strategic clarity and supporting the initial data-driven implementation phase will serve you well to enable ongoing voyages toenhance Enterprise-class Integrated Risk functionality. If the initial voyage is successful, you will have taken steps to establish a culture of transparency, collaboration, and resiliency, serving you well along ongoing journeys into the unknown.