Last week we talked about how GRC is transforming
from an adhoc, rationalized stage to a more mature, optimized stage leveraging
real-time information that gives us dynamic GRC. But what does that
really mean? Earlier in the What’s the Hoo Ha about GRC we talked about Seeing, Understanding and Believing as concepts that
usher in this new era. So, let’s take it apart. What’s the deal with Seeing?
Quick review:
Seeing. As many commenters on this blog point out, we
need visibility and transparency to see our current exposure and give us the
confidence to not only manage risks within our appetite but to exploit new
opportunities with quantified risk. The
line of sight from a business or regulatory
requirement
deep into embedded controls has to be relatively unbroken and unobstructed. It’s complex – and difficult – but not
impossible - to see through the web of our hyper-extended, deeply-stacked,
dynamic and increasingly virtual organizations.
Simple pie charts sitting on a single repository simply aren’t going to
be enough. Dynamic GRC needs really good
navigation, visualization, data management and analytics, where we can
literally see a model, heat map or trend line and use the combined power of our
intuition and analysis to gain the insights we need to construct better
decisions. Here we take a lesson from business
intelligence
and apply it to GRC. We need to be able
to see
the key risk
indicator
(KRI) on the say, supplier management system approaching a service level
agreement
(SLA) threshold, then drill down,
slicing and dicing through the stack from the application layer to the network
and server technology assets and controls to the root cause. Let’s look at the key differentiators –
navigation, visualization, data management and analytics:
Navigation is
different.
Today, many GRC apps use a simple web browser with hierarchal tree to drill
down from say, an organizational unit, to business processes or assets with the
unit, to perhaps some key risks and then, to controls that may be failing
related to those risks. But really, that isn’t enough in a world where control
states and other measurements are harvested real-time from IT management
systems. Think: Multi-dimensional
traversal, and mash-ups from many sources.
Visualization
is different.
Not just pie charts and reports. Visualization is better because the underlying
GRC intelligence is better. Think: Maps with overlays that show you where your
greatest risks are geographically or by business process, with drill down to
near-real time data.
Data management
is different. Not just a central, hierarchal data
repository. Dynamic GRC needs federated
data sources – meta-data pointers to where the information lives, real-time. This
requires Master Data Management so that different versions of the truth are
reconciled. Think: Web of information and smooth, direct traversal.
Analytics are different. Not just database queries and simple risk calculations. Dynamic GRC relies on rich, granular data that can be sliced and diced as business intelligence. Think: What-if scenario modeling and sensitivity analysis, where you can see the effect on risk of tightening or loosening a control before there is an impact.
Why is dynamic GRC important? Because we can’t
afford to have glacial reports that are frozen time - we need near real -time ‘seeing’.
In today’s economy where new investments
need to show ROI within quarters we need to use what we already have. This is
not rocket science – performance management systems for the business and
resource management systems for IT have this information and are increasingly
leveraging this kind of ‘seeing’. Why should GRC be starved? It’s part of the natural convergence between
performance management and GRC. And don’t
you think it’s part of our responsibility as GRC stakeholders to drive
awareness and make these kinds of major improvements that truly add value to
our organizations?
Next time let’s talk about the next critical
concept in dynamic GRC: Understanding.
Recent Comments