In my last tip, we talked about governance, risk and compliance not as separate concerns, but as parts of a holistic or cohesive GRC framework. As with anything, concepts are important, but without a tangible GRC technology architecture to seat the concepts into reality, the outer bounds of their usefulness won't go beyond cocktail party conversation.
Prominent on President Barack Obama's agenda when campaigning for, then subsequently stepping into, the White House was transparency. Transparency has always been obvious to those of us in regulatory compliance; however, the 2008 campaign made it a household word. On Jan. 21, 2009, our newly inaugurated president issued a memorandum on transparency and open government, wherein he directed the chief technology officer (CTO) to coordinate the development of an Open Government Directive designed to accomplish his goals of transparency, public participation and collaboration.
Whether you agree with President Obama's policy or not, it's hard to disagree with the importance of transparency. What I'd like to highlight here is that he put the CTO in charge of this effort, which drives home the role he feels technology plays in the overall solution. I completely agree.
Architecting a system of transparency with the right technology is paramount for your integrated government, risk and compliance solutions. I'll give you a starting point here with some ideas to consider; however, I exhort you to experiment. By keeping the basic concepts and principles in mind, your compliance system can become very effective at accomplishing not only your compliance objectives, but also your strategic goals.
Holistic GRC frameworks: A quick review
Let's quickly review these concepts of an integrated system, and then we'll explore some architectural considerations (for an in-depth explanation, see my last tip on cohesive GRC frameworks.) Governance is concerned with the policies and controls that an organization has in place to ensure that its missions and goals are being accomplished. Risks are uncertain events that can derail the organization's success (i.e., interfere with governance objectives) and expose your organization to violations of outside concerns. Compliance involves processes and controls to make sure these risks either don't show up or don't adversely affect the organization, in addition to proving that these processes are being followed and these controls are effective.
The more integrated your governance, risk and compliance solutions, the more effective they will be. You could design silos with separate concerns, but the real power is in the relationships. That said, each component should maintain its autonomy of purpose. Do not integrate to the point where you cannot distinguish one subsystem from another. Just like quoting, order management, invoicing and collection systems all fit together to form a holistic quote-to-collect system with identifying subsystems, you'll want your governance, risk and compliance subsystems to fold nicely together but not purée.
Bringing governance, risk and compliance solutions together
To show you how this works, I'd like to use the example of organizational diversity. We can start anywhere, but I usually like to start at the top, with governance. When I work with leaders on diversity issues, it's for one of any number of reasons, but good leaders recognize that building diversity within the organization is a very strategic move. Cultivating a hodgepodge of talent from diverse backgrounds and cultures puts the organization at a distinct strategic advantage.
Consider you have a young, midsized company that's in hypergrowth, both in revenue and head count. Innovation is valued and used as a competitive advantage. Strategically, the company has determined that its driving force for the next three years will continue to be innovation, building on its current strength and increasing its competitive advantage. To do this, the company will double head count, with a constraint that the resultant organization be fully diverse.
Measuring results with your GRC solutions
The assumption here is that a more diverse group is more innovative, so you need to track this assumption (and others). You'll now create policies to make sure innovation is accomplished, and, consequently, a policy management system. Policies are formal statements of the way things should be. For instance, you could create a policy that out of 20 diversity classes, no one class should represent more than 7% of the total talent pool. Periodically, you will check your policy statements with objective data to make sure things are as they should be. The identification and tracking of these objective data points are all part of your policy management system.
Finally, build a set of plans and procedures that will ensure that your policy is maintained, and a system to make sure they're being followed. Next, install your risk subsystem by asking what could go wrong -- brainstorm with your team to uncover all the risks you can think of. Don't be naive; this should be a very long list. Characterize each risk with a probability, degree of impact, ability to detect and possible causes. Track all this data in your risk subsystem, and link it to your governance subsystem with a bridge between each policy or procedure, and all the risks that could interfere with its successful execution.
Finally, to build your compliance subsystem, you will now do a couple of things. First, you'll fortify the plans and procedures system you created for your governance subsystem, by exploring what procedures you can put in place to mitigate the risks you uncovered when building your risk subsystem. Second, you'll look at outside concerns, like the Equal Employment Opportunity Commission, to make sure your goals in diversity are in alignment with these federal laws. From these laws, you'll uncover additional risks that you might not have considered, which will reinforce your risk subsystem. To control these risks, you'll create more policy to reinforce your existing policy system. To finish your compliance subsystem, you'll create a system to collect, track and index evidence that will prove your innocence in an audit.
I hope this quick example shows you how governance, risk and compliance solutions can fit together to accomplish your strategic goals and keep you out of trouble. For governance subsystems, which ensure your strategic success, consider ways to measure your key performance indicators and track your assumptions, policies and procedures. For risk subsystems, catalog and track all the things that could go wrong with your policies, and mitigate these risks with controls in your compliance subsystem. Finally, reinforce everything by considering the regulations and standards from outside concerns, and build a compliance subsystem that proves you're doing all the right things.
If you have silos now (i.e., a separate compliance and risk system), look at ways to combine them using the principals presented here. If you're just beginning to construct a GRC system, I hope this article has given you some insights on how to get the most from your system by focusing on the integration points, not just the individual components.
This was first published in May 2010