Back to School with GRC
Remembering What You Already Know
As the last breath of summer exhales and everyone who goes to school is again in the classroom, a few memories of my own formal education days have re-surfaced. Regardless of the grade level or area of study, lessons from prior years (curriculum based or otherwise) always seem to emerge.
No matter the year, those first days of class would result in me questioning, and sometimes worrying—will lessons learned in prior years apply to the present? How well would I remember what I already knew, or did I forget what I was supposed to have learned?
After watching a few yellow buses perform perfect stop-and-go maneuvers in my neighborhood, I reflected about how those annual reviews were beneficial, and then the many intricacies of GRC came to mind—along with a couple of stories—and I thought a review of governance, risk and compliance might be useful and valuable. Kind of like a back-to-school process.
First a Story
I recently had a conversation with someone while walking them through how to best review and update the scoring and rankings tied to a vendor risk assessment. While talking through the assessment updates, a question came up: Why go through and document further due diligence activities if you know a vendor will ultimately be onboarded?
This person was in charge of vendor management processes: Onboarding, assessing risk, making sure that all of the T’s were crossed, all of the I’s were dotted. Still, I found myself having to remind them of a worst-case scenario—a vendor-based data breach resulting in the exposure of sensitive company, client or personal information.
After bringing that up, I poised the question, “What would happen if you couldn’t prove proper due diligence and vetting took place prior to onboarding a vendor?” That led to a more in-depth discussion on how to best record and preserve those types of vendor due diligence activities going forward, as well as how to incorporate more-robust GRC processes all together. It was a good review.
Now for the GRC review (it’s the start of the school year, right?). Are you putting together a platform? Reviewing what you already have? Here’s a list of things to make sure you have, or are going to have, in your GRC platform:
- Risk management tool
- Controls (know what they’re for)
- Vendor risk
- Audit functionality
- Other solutions as required by your company’s processes
Once the tools are in place, ask yourself these questions: Are different levels of risk tied to your company’s objectives? And from there, are there controls in place that are helping you manage these risks? Are you essentially mitigating them? Are you accepting them? There’s also a risk response element. In short, make sure you have everything covered, and then make sure again.
Do Things This Way
For all that you do and are trying to accomplish with the use of your platform, there has to be some form of accountability within the confines of using it within your company. That means validating the controls, testing procedures and risks, etc.
Without accountability, without the audit element of someone coming in and saying, “Here is what is supposed to be done,” you will find yourself missing a key letter in GRC. That is where gaps come into play. You have to have all three of the components synced together—Governance, Risk and Compliance—to make sure everything is working and running as intended.
Always Remember This!
I’ve seen too many organizations, regardless of their maturity, not ask the essential question—why? Why is our process like this? Why is there inefficiency here? Why are teams not communicating?
Never stop asking, “Why?”
If you are a 10-person shop or a multi-billion dollar organization with thousands of employees and don’t ask the question, “Why?” inefficiencies, breaches, missed risks and vulnerabilities can emerge that could significantly impact the organization.
Out of everything I’m sharing, I want to stress this most of all, so I’ll repeat it again: Always ask, “Why?” Make it a point on an annual basis to review your processes and GRC program as a whole. Maybe select one or two things. Or if you’re ambitious, go through the full review process.
Regardless, every 12 months make sure you know the answer to “Why?”
Making the Grade
My background in the GRC space consists of consulting on multiple platforms. I’ve seen siloed solutions, poor communication and a lack of GRC processes across the board. Of all the platforms I’ve worked on and the different clients I’ve worked with, there’s one tool in particular that started to make its mark: I’m proud to say it’s Onspring.
Every company and industry has nuances. The one thing that I do not want to tell organizations is, “Sorry, you have to change your processes to fit our tool.” A company should be able to mold its processes around a GRC platform, not the other way around.
Onspring, I am happy to say, has the ability to shape and conform to a company’s GRC needs.
Our GRC platform allows you to target specific areas, pinpointing the data that you care about while tailoring it in a way for clients to consume large data sets. It’s also fast—through reporting, dashboards, being able to export reports, print entire dashboards, or put together an annual review of audit processes—it does it all.
Onspring, as we like to say, is on it—the straight A’s platform.