Most of you know I am part of EMC’s Consulting organization and work closely with RSA and the Archer team. This week at RSA Conference in San Francisco, we are launching a very focused set of advisory services around security and risk management – including a new set of advisory services around GRC strategy, development and management optimization. Now why does this warrant a post, you ask? Normally I don’t blog about EMC products and services…more about trends and models in GRC. But - this is special.
Why? Because, simply put - this is a watershed event that marks a new way of helping our clients move up the GRC maturity curve. Whether you are part of an organization struggling to implement a coherent GRC program, or a consultant advising others or a part of a product group related to GRC – you will know that getting all the pieces of a well-functioning GRC program to come together is a horrendous challenge for the best of us.
Not only do we serve GRC stakeholders from vastly different disciplines of enterprise risk management, corporate compliance, IT risk, security, privacy and audit – to name a few – our industry suffers from a vendor community that solves different parts of the problem in vastly different ways, using diverse approaches and terminology to conceptualize and communicate how they can help.
This causes huge problems for clients, who spend, and one could argue,waste a lot of time upfront and throughout projects just getting everyone on the same page with the same terminology. How many times have you had to ask - what do you mean by GRC? What exactly do you mean by a risk framework? How do you measure risk? In your world, what does a control standard represent? Our industry is still struggling to converge on common approaches and nomenclature, let alone solutions to critical risk, security and compliance challenges facing us all.
EMC Consulting and RSA Archer have spent the last few years working closely together to understand what each of our teams do and how we bring value our clients. Our clients have shared with us what works for them, and what doesn’t. The result is we’ve developed a streamlined way of delivering advisory services that leverages a common approach across services and product.
GRC Program Strategy and Strategic Plan
- Provides a GRC Program design, based on business and regulatory requirements and stakeholder needs
- Provides GRC process ranking leveraging RSA Archer, supported by a business case and priorities for investments
- Provides a GRC Program Strategic Plan and Governance model
GRC Program Development
- Defines and implements a common process for specific risk and compliance use cases
- Rationalizes risk nomenclature, appetites, and metrics across silos
- Defines and implements common risk processes for context, identification, analysis, remediation, and monitoring
- Defines consistent monitoring, metrics, and reporting leveraging the RSA Archer
GRC Management Optimization
- Defines and implements GRC processes, technologies and procedures leveraging RSA Archer
- Defines and implements a risk awareness program by and across stakeholder groups
- Manages transformations and ensures continuous improvement
- Provides executive-level reporting and support
- Presents demonstrated, consistent, and comparable progress against vision and goals
We believe that with these new EMC Consulting advisory services, GRC life just got a wee bit easier to live. For us, for our clients and yes, for the industry. The faster we converge on common or equivalent ways of solving our problems, the more we can expect superior outcomes in managing governance, risk and compliance.