Why a GRC Framework?
Good governance, risk, and compliance management has become a key-operating imperative for many organizations, both large and small. Boards and executives alike struggle to gain better visibility into their true risk and compliance profile in order to prioritize spending on remediation of risks. Having a coherent, integrated GRC management framework is table stakes for good GRC program management – and can really accelerate an organization’s ability to respond to increased pressures to gain real visibility into its true risk and compliance profile.
A Simple Framework
Here’s a simple diagram (well, maybe not so simple….unless you just look at the headings) that covers the main elements of GRC Framework.
Let’s look at each of these layers and try to get at the essential elements and value:
1. Organizational Framework and Governance model – An active governance structure that drives accountability into the day-to-day operating fabric ensures business owners have the proper degree of granular visibility into risks that really matter. Armed with options on what to do about them, business owners can make intelligent decisions on what remediation efforts to fund.
2. Risk Profile and Reporting Framework – A set of rationalized processes for the prioritization of key risk and compliance requirements supports GRC reporting across the organization, and to the board. A practical categorization of risk types, threat communities, information, and data classification brings context to risk reporting and decision-making.
3. GRC Diagnostics – Qualitative and quantitative assessments that follow a common risk and compliance identification and analysis process, supported by consistent controls reviews and testing, provide objective diagnostics required for meaningful decisions on treatment strategies.
4. Risk and Compliance Monitoring Program – Monitoring policies, controls, threats and vulnerabilities against standards and acceptable thresholds provides visibility into risk and compliance profiles on a consistent basis. Key Performance Indicators (KPIs), Key Risk Indicators (KRIs), Key Control Indicators (KCIs) provide early warning alerts that permit organizations to be proactive in their response.
5. GRC Program Optimization – Continuous improvement, communication and awareness programs drive adaption as the external environment presents new and emerging risks and compliance requirements. Knowledge sharing across stakeholders on the appropriate best practices supports evolution to a target maturity level that is optimal for the organization.
6. Technology Enabling Platform and tools - A technology eco-system that supports a central, secure repository of requirements, policies, control standards, risk analysis, and control test results provides a solid foundation for streamlined workflow, analytics, and reporting.
A well-designed and coherent GRC Framework helps organizations prioritize and respond to risks and compliance requirements with a collaborative and efficient governance process.
Call to Action: An exercise I often use with clients is reviewing the framework, element by element, and marking it up with red, yellow and green to see where your organziation is weak – and then looking at what elements will be key enablers for your GRC Program. Using a GRC Framework model in this way helps prioritize what you need to focus on now in order to deliver real value.
Try this: Review this GRC Framework (or something like it) with some of your key stakeholders and get their assessment of what’s truly important, what they would like to see good progress on, and how they can help. At the very least, you’ll get another perspective on priorities and needs - that will keep you driving your GRC program in the right direction.