Approaching governance, risk and compliance (GRC) matters may seem daunting, but companies are already managing some form of GRC processes without even realising it.
This is according to Gennaro Scalo, EMEA GRC lead for RSA, the Security Division of EMC, who says effective GRC can be seen as a big problem and a big project. However, most organisations already have GRC processes in place.
"Organisations may not realise they are already doing it. An effective GRC programme is about optimisation and alignment. Organisations should look to understand what the many forms of GRC look like and agree on a common and consistent approach.
"They are likely to discover there are very actionable things the organisation can do, or which are already in place, to support the overall GRC programme.
"Many enterprises may over-think it, and try to address all the issues at once. But if one embarks on a project to address the gamut of governance, risk and compliance, one could be years down the road before one begins seeing benefit."
He continues: "Our advice is to start by looking for 'quick wins'. Find where in the organisation one can deliver the quickest value and start by tackling this area. The starting point will vary according to the organisation - but many organisations start with policy management, such as the processes for managing exceptions. One may discover that by centralising and automating exception management, one can have an impact on the entire enterprise and lay a good foundation for growing the GRC programme over time."
Other places organisations may choose to begin are with the management and reporting of deficiencies, he adds.
"It's small in the sense that you can understand it, but big in that it delivers real business value," he says. In one example, a financial company chose to start with the deficiency management processes because it touched many areas of the business. Centralising and automating this process enabled greater accountability and visibility, resulting in more efficiency that fostered collaboration across the business. This resulted in a savings of time, money and resources. No matter the starting point, these are the outcomes an organisation should expect from a quick win.
Scalo says GRC success also requires alignment between IT and business. "Often IT is seen as a cost centre, but every organisation today relies on IT to deliver its goods and services. The closer they can align their IT infrastructure to their business needs, the greater their success will be in GRC," he says. This enables organisations to increase productivity, foster sustainability and make better business decisions.
Scalo will address the upcoming ITWeb Governance, Risk and Compliance conference on achieving GRC success within a business. For more information on this event, click here.