SEPTEMBER 2021CIOAPPLICATIONS.COM8olaris, also known as the North Star, has been important to humanity since ancient times. Its stellar position has been used by navigators for centuries to:· Set a standard fixed point by which all other points are related· Understand where the destination is in relation to this standard· Identify the map of boundaries and hazards· Plan tactics to move from present location to the destination· Adjust tactics when blown off the planned courseSuch is strategic planning. It is knowing where we are, where we want to be, how we plan to get there with our current resources, and how to adjust when external forces change. Ancient sailors had to do the pre-work to obtain transportation, hire the crew, plan the voyage, monitor progress, and adjust accordingly.Establishing a Governance, Risk, and Compliance (GRC) tool for an organization is no different ­ it is a journey and requires prework and ongoing governance to reach success. By understanding your position relative to the North Star as well as your current and obtainable assets, you have the ingredients to build your strategy and position your company for successful initial implementation.Purpose and Company StructureCompany mission, size, and organizational structure are key elements to understand. Having clear understanding of the purpose of the GRC tool implementation will enable you to drive effective design:infrastructure hosting options, capacity planning, desired functionality, and ongoing system support model. Aside from technical considerations, it is crucial to understand the current Enterprise Risk model andmaturity strategy, business inventory data sources, andbusiness engagement model. This clarity will drive the level of business engagement required, the implementation of and relationships amongGRC workflows, the level of automation that can be achieved, and the dashboarding and reporting capabilities that may be achieved.Scope and AssumptionsSome clarifying questions to ask include:· Will your GRC tool drive an Enterprise Integrated Risk Management program for a multi-divisional corporation or cover specific risk/compliance tasks for a smaller company?· Is your Enterprise Risk Management function centralized, distributed, or hybrid?· What execution boundaries or hazards might you face (e.g., cost barriers, regulatory drivers, GRC system constraints, resource and business priority challenges, etc.)· How does the first line of defense (line of business layer) risk function, the Compliance function, and the Internal Audit interact with the Enterprise Risk team? · Are there anticipated changes to the Enterprise Risk organization as the company matures that should be planned for during GRC tool design?· Does the company already have mature policies, procedures, and compliance/risk frameworks in place to account for in the design process (or will the company adopt any pre-built frameworks within the GRC tool)?IN MY ViewPYour Maiden GRC Implementation VoyageEric BonnellERIC BONNELL, SENIOR VICE PRESIDENT, SECOND LINE OF DEFENSE RISK MANAGER, FOCUS ON PRIVACY AND BUSINESS RESILIENCE, ATLANTIC UNION BANK
< Page 7 | Page 9 >