Last week we talked about how GRC is transforming from an adhoc, rationalized stage to a more mature, optimized stage leveraging real-time information that gives us dynamic GRC. But what does that really mean? Earlier in the What’s the Hoo Ha about GRC we talked about Seeing, Understanding and Believing as concepts that usher in this new era. So, let’s take it apart. What’s the deal with Seeing? Quick review:
Seeing. As many commenters on this blog point out, we need visibility and transparency to see our current exposure and give us the confidence to not only manage risks within our appetite but to exploit new opportunities with quantified risk. The line of sight from a business or regulatory requirement deep into embedded controls has to be relatively unbroken and unobstructed. It’s complex – and difficult – but not impossible - to see through the web of our hyper-extended, deeply-stacked, dynamic and increasingly virtual organizations. Simple pie charts sitting on a single repository simply aren’t going to be enough. Dynamic GRC needs really good navigation, visualization, data management and analytics, where we can literally see a model, heat map or trend line and use the combined power of our intuition and analysis to gain the insights we need to construct better decisions. Here we take a lesson from business intelligence and apply it to GRC. We need to be able to see the key risk indicator (KRI) on the say, supplier management system approaching a service level agreement (SLA) threshold, then drill down, slicing and dicing through the stack from the application layer to the network and server technology assets and controls to the root cause. Let’s look at the key differentiators – navigation, visualization, data management and analytics:
Navigation is different. Today, many GRC apps use a simple web browser with hierarchal tree to drill down from say, an organizational unit, to business processes or assets with the unit, to perhaps some key risks and then, to controls that may be failing related to those risks. But really, that isn’t enough in a world where control states and other measurements are harvested real-time from IT management systems. Think: Multi-dimensional traversal, and mash-ups from many sources.
Visualization is different. Not just pie charts and reports. Visualization is better because the underlying GRC intelligence is better. Think: Maps with overlays that show you where your greatest risks are geographically or by business process, with drill down to near-real time data.
Data management is different. Not just a central, hierarchal data repository. Dynamic GRC needs federated data sources – meta-data pointers to where the information lives, real-time. This requires Master Data Management so that different versions of the truth are reconciled. Think: Web of information and smooth, direct traversal.
Analytics are different. Not just database queries and simple risk calculations. Dynamic GRC relies on rich, granular data that can be sliced and diced as business intelligence. Think: What-if scenario modeling and sensitivity analysis, where you can see the effect on risk of tightening or loosening a control before there is an impact.
Why is dynamic GRC important? Because we can’t afford to have glacial reports that are frozen time - we need near real -time ‘seeing’. In today’s economy where new investments need to show ROI within quarters we need to use what we already have. This is not rocket science – performance management systems for the business and resource management systems for IT have this information and are increasingly leveraging this kind of ‘seeing’. Why should GRC be starved? It’s part of the natural convergence between performance management and GRC. And don’t you think it’s part of our responsibility as GRC stakeholders to drive awareness and make these kinds of major improvements that truly add value to our organizations?
Next time let’s talk about the next critical concept in dynamic GRC: Understanding.