Back to school on GRC
Re-learning Governance, Risk & Compliance Fundamentals
I recently had a conversation with someone while walking them through how to best review and update the scoring and rankings tied to a vendor risk assessment. While talking through the assessment updates, a question came up: Why go through and document further due diligence activities if you know a vendor will ultimately be onboarded?
This person was in charge of vendor management processes: Onboarding, assessing risk, making sure that all of the T’s were crossed, all of the I’s were dotted. Still, I found myself having to remind them of a worst-case scenario—a vendor-based data breach resulting in the exposure of sensitive company, client, or personal information.
After bringing that up, I posed the question, “What would happen if you couldn’t prove proper due diligence and vetting took place prior to onboarding a vendor?” That led to a more in-depth discussion on how to best record and preserve those types of vendor due diligence activities going forward, as well as how to incorporate more-robust GRC processes all together. It was a good review.
Now for the GRC review
Are you putting together a platform? Reviewing what you already have? Here’s a list of things to make sure you have, or are going to have, in your GRC platform:
- Risk management tool
- Controls (know what they’re for)
- Vendor risk
- Audit functionality
- Other solutions as required by your company’s processes
Once the tools are in place, ask yourself these questions:
- Are different levels of risk tied to your company’s objectives?
- And from there, are there controls in place that helps you manage these risks?
- Are you essentially mitigating them? Are you accepting them? There’s also a risk response element.
In short, make sure you have everything covered, and then make sure again.
Plan for accountability
For all that you do and are trying to accomplish with the use of your platform, there has to be some form of accountability within the confines of using it within your company. That means validating the controls, testing procedures and risks, etc.
Without accountability, without the audit element of someone coming in and saying, “Here is what is supposed to be done,” you will find yourself missing a key letter in GRC. That is where gaps come into play. You have to have all three of the components synced together—Governance, Risk and Compliance—to make sure everything is working and running as intended.
Remember communication
I’ve seen too many organizations, regardless of their maturity, not ask the essential question—why? Why is our process like this? Why is there inefficiency here? Why are teams not communicating?
Never stop asking, “Why?”
If you are a 10-person shop or a multi-billion dollar organization with thousands of employees and don’t ask the question, “Why?” inefficiencies, breaches, missed risks and vulnerabilities can emerge that could significantly impact the organization.
Out of everything I’m sharing, I want to stress this most of all, so I’ll repeat it again: Always ask, “Why?” Make it a point on an annual basis to review your processes and GRC program as a whole. Maybe select one or two things. Or if you’re ambitious, go through the full review process.
Regardless, every 12 months make sure you know the answer to “Why?”
Making the Grade
My background in the GRC space consists of consulting on multiple platforms. I’ve seen siloed solutions, poor communication and a lack of GRC processes across the board. Of all the platforms I’ve worked on and the different clients I’ve worked with, there’s one tool in particular that started to make its mark: I’m proud to say it’s Onspring.
Every company and industry has nuances. The one thing that I do not want to tell organizations is, “Sorry, you have to change your processes to fit our tool.” A company should be able to mold its processes around a GRC platform, not the other way around.
Onspring, I am happy to say, has the ability to shape and conform to a company’s GRC needs.
Our GRC platform allows you to target specific areas, pinpointing the data that you care about while tailoring it in a way for clients to consume large data sets. It’s also fast—through reporting, dashboards, being able to export reports, print entire dashboards, or put together an annual review of audit processes—it does it all.
About the author
Jason Rohlf
Vice President at Onspring
20 years internal audit and GRC experience