Eight actions to help re-think your approach
Leaders of governance, risk and compliance management (GRC) programs are facing a complex set of challenges. On the one hand, the investments in these programs are under scrutiny for the value they deliver. At the same time, there are systemic shifts in geopolitics, climate, economy, human capital, technology, and healthcare that develop into unprecedented risks. Through all these, the GRC leaders such as yourself must consider that their programs enable their organizations to provide trust and assurance to the stakeholders involved. These challenges typically result in organizations left with having to do more with significantly less. This includes less resources, less funding, less people and mostly less motivation. However, not all needs to be negative. If you can embrace this challenge and use this moment to take a set of pragmatic actions, they stand a chance to seize the opportunity to reset their program’s trajectory. All it takes is have a mindset that focuses on self-awareness, see through chaos, and reframe problems as opportunities. Below are a set of 8 such actions that you can start taking today.
1. Purpose: Start with reflecting on why you took this role and recast the value you promised yourself and the organization you work for. It’s likely that the vision and purpose you have now has evolved and matured along with the business environment changes and needs.
2. People: Think about the organization and alignment of your team. This is a good time to rearrange the deck and give the right opportunities to the right people, allowing your team to re-define and elevate their purpose by taking on roles that are meaningful to them and value-add to the organization. You could have all the tools and budget, but without people executing some of the tasks alongside your tools, the value of your program will never be fully optimized to its maximum potential.
3. Processes: Mine for processes you have in your program and determine their relevance today and for the next 12 months. For example, review your control attestations, risk assessments, and control testing activities to determine if they are providing the adequate insights and visibility to inform proactive business decision making and action. If they are not adding value, then consider re-engineering them to reflect the realities your organization is facing.
4. Foundational data: When was the last time you mapped your controls to regulatory requirements? Or mapped your risks to assets? Now is a good time to look at the current regulatory landscape, prioritize the new needs and evaluate if your assets, risks, and controls are unified and up to date. Being proactive will prepare you for any future audits that you may face.
5. Stale data: Is your issue inventory looking bloated? Are you tracking risk and controls that may no longer be reflective of the organization’s risk profile? Perhaps it’s time to allocate resources to rationalize and purge this data as necessary to help ensure that you are focused on managing the right risks, controls and issues the organization faces going forward. Additionally, this would be a good time to archive, retain or discard data in line with your retention standards.
6. Technologies: If you find yourself spending hours to cobble together a risk or compliance report from multiple data sources, or that the data you are gathering is outdated and difficult to aggregate, it might be time to think about the toolset supporting your program. Devise a plan to steadily migrate to newer and more modern ways of leveraging technologies and integrations that focus on simple and intuitive processes. You do not have to buy it all now, but a plan gives you the confidence to think strategically.
7. Creativity: Allow yourself and your team time to breathe and think creatively. Host an offsite team event or a hackathon to spark new ideas. With refreshed minds comes new innovative ways of thinking and working that will provide better results more efficiently.
8. End User Focus: Listen to your customer and understand what is working well today and what can be improved. Getting external feedback outside of your team will help prioritization of features and improvements to the overall program and will deliver true value to the organization.
The checklist above should give you the ability to reset and provide visibility to where you are spending time and resources and reallocate them effectively. Through these actions and utilizing modern technologies such as automation, cloud, analytics, and integrations with relevant external intelligence, you can set the program and yourself on a course with clear vision and aspirations. Most importantly, you can establish a program that can not only answer complex questions when they come up, but anticipate complete questions for scenarios that are yet to come up.