As IT Leaders we are always looking forward to our next challenge, the big project that looks impossible at the beginning, but which through our superhuman efforts turns into a technical and business success story. This is all great, but we do need to be careful because there’s one big project out there that could do us in – governance, risk and compliance (GRC).
Looks Like You Need A Strategy
When they come looking for you to work on the company’s GRC project, I don’t want to say that you should start running in the other direction, but you should at least be careful about what you agree to. A GRC program gets started when the company finally wises up and realizes that they need to use their IT systems to mange governance, compliance, and regulatory issues. If this sound straightforward, it isn’t.
Our world is filled with lots of compliance requirements depending on what business your company works in: Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), etc. However, this is just the tip of the iceberg – there’s a lot more where those came from.
If this project is going to be successful, you’re going to need to have a strategy. This will not be an IT-only project, it’s going to take both IT and the business working together to do it correctly.
Why Is GRC So Hard To Do Right?
What sounds simple on the surface, quickly turns complicated when you start to dive into the details. The two areas that seem to create the most conflict for IT Leaders are creating rules and privileges that determine who can access what information along with agreeing on where company data will be stored.
From an IT point-of-view, one of the most important things that you can do is to take the time to actually identify the owner of each part of the company’s data set. Once you know who owns the data, you will have found the right person to make decisions about what to do with and where to store that data.
The Four Types Of Risk
As you undertake a GRC project, you need to keep in mind that not all risk is created equally. The four primary risk challenges that you’re going to end up dealing with include:
- Business Risk: these are the risks that could bring the business to its knees. They can include risks to things such as the products and services that it sells, and any intellectual property or critical business records that are used to create / deliver products. The ultimate source for identifying what business risks you have to worry about need to come from the business side of the house.
- Technology Risk: There is no way that you can possibly protect all of the company’s data and so that means that you need to do some prioritization. This is the kind of information that you are going to need to have in order to be able to build the right infrastructure and determine just exactly how to protect the data that needs to be protected. .
- Legal (or Regulatory) Risk: Since the legal regulations that apply to your business can be changing all the time, this area can be challenging to stay on top of. The most important thing that you can do is to establish clear processes and procedures that line up with the existing regulations. The ability to show that you are compliant is key. .
- External Risk: These are the threats that get the most press and so we generally do the best job of dealing with them. The most important thing to remember is that outsiders generally are trying to get their hands on your company’s data and so you’ll want to make sure that you secure what you have and properly dispose of what you no longer need.
What All Of This Means For You
Are you up for a major IT challenge? GRC is becoming a hot topic in IT and sooner or later they will be coming to you and asking you to help implement the company’s GRC project. You need to be ready.
The biggest challenge presented by a GRC project is finding ways for IT to work smoothly with the business side of the house. Creating rules to restrict who can access what data and then determining where that data will be stored will generate some very heated discussions.
The thing about a GRC project is that failure is not an option. Using the company’s IT systems to properly secure the company’s assets is a major challenge. If you and your team are able to accomplish this project successfully, you will have shown the company that there’s nothing that you can’t do.
Question For You: Who should lead a GRC project – the IT team or the business team?
What We’ll Be Talking About Next Time
It sure seems as though the pressure on IT managers to deliver more business value isn’t going to go away anytime soon. If only there was some methodology that we could use to unlock all of that business value that we know is within the IT department. Oh wait, there is: it’s called the IT-CMF.