GRC Maturity: Results + Reach = Value

Today’s business environment is fraught with risk. Economic, technology and market conditions affect organizations on a daily basis. The constantly “changing risk landscape” is a discussion point in headlines, industry forums, media outlets and board rooms. We are moving to a world where risk management will become the primary source of competitive advantage. Rather than avoiding risk, organizations need the ability to embrace risk with confidence.

Risk management will become the core capability which separates winners from losers. Organizations that understand and manage risk effectively will prosper, while those that cannot will fail. Success starts with the ability to manage operational risk in a manner that frees up resources to focus on the company’s long term, strategic objectives. This does not happen overnight.

Executives need relevant, up-to-date information to pursue the right opportunities. But, they also need a balanced approach to manage the major risks facing the organization to acquire the insight to make the right business decisions, address risk and explore new opportunities with predictability. A governance, risk and compliance (GRC) program is the backbone that keeps the organization prepared to manage issues and reduce risk. A GRC strategy that focuses on sharing data, leveraging processes and breaking down organizational barriers builds efficiencies across the organization to effectively transform compliance, manage risk and exploit opportunity.

Whether executives like it or not, all risk and compliance functions are expected to add value to the organization. These days, you cannot invest in anything that does not bring value to the company. Risk and compliance functions are no different. You can gauge your GRC program’s value by two simple measurements, and the first is results. GRC programs are expected to drive a constant increase of effectiveness in managing risk and compliance. The second measurement is reach. As the risk and compliance function matures, ideally it protects more and more of the organization. These two factors, as they increase, are key measurements of the risk and compliance function and how it brings value to the organization.

Organizations are looking to improve their results and expand their reach by maturing programs beyond check-the-box compliance. They must mature from first meeting the company’s compliance obligations, progressing to managing risk and, ultimately, reaching the point where the organization can use compliance and risk as a competitive advantage—truly bring value to the organization by helping drive opportunity.

I invite you to join me at ISACA’s 2015 North America CACS conference to explore this topic in more depth in my presentation titled “GRC Maturity Models.” I hope that these ideas will help you find conversation tools that help you determine your path to a mature, sustainable GRC program that helps fuel your enterprise toward opportunity.

Steve Schlarman, CISM, CISSP
GRC Strategist, IT and Security, RSA, The Security Division of EMC

[ISACA]