Moving Up the Maturity Curve with a GRC Strategy Roadmap

by David Walter – May 10, 2010

If you attended any of our GRC Roadshows last fall or the Archer GRC Summit in April, you’re familiar with a predominant topic of discussion within the Archer Community: the need for a strategic roadmap to guide the implementation of an effective, sustainable enterprise governance, risk and compliance program. Our customers understand that GRC is not just about technology. It’s about bringing together people, processes and technology and defining a common vision for how these three elements work together. After all, the concept of GRC is all about collaboration to ensure that the business achieves its objectives and stays within the boundaries of the rules that govern it.

For many of our customers—both new and long-term—the need for a GRC roadmap stems from the desire to advance their program maturity from tactical to strategic and from isolated to collaborative. John Hagerty of AMR Research does a great job of describing how organizations move from “reacting” to “anticipating” to “collaborating” and finally “orchestrating” in the GRC Maturity Model. (For more on this, view a recent webcast with John.)

But how do you get from one phase of GRC maturity to the next? That’s the question many members of the Archer Community are focused on answering. Consider this survey data from last month’s Archer GRC Summit:

Participants indicated that their biggest business challenges include:

• Managing tactical implementations that need to align to a strategic roadmap for GRC
• Getting buy-in and maturing GRC processes
• Providing an end-to-end view of business processes, risks and compliance objectives

They also reported that current challenges impeding collaboration include:

• Dealing with organizational silos (91% of survey respondents)
• Overcoming a lack of communication (51% of survey respondents)

Even organizations with the most sophisticated technology platform at the heart of their GRC initiatives can struggle to advance their program maturity if they haven’t aligned their people and processes. This is where a strategy roadmap plays a huge role.

For those of you who are unfamiliar with a GRC strategy roadmap, it begins with identifying all of the business processes that fall under an organization’s GRC umbrella, determining the process owners and subject-matter experts, and getting those individuals together to discuss pain pints, workflow, dependencies, complexity, desired future state and supporting technologies (or lack thereof). After the interview phase comes an analysis of each business process to identify opportunities for automation and to flush out redundancies. The results of these analyses are delivered to a cross-functional leadership team to facilitate a big-picture discussion of the organization’s GRC program—its vision, goals, components, stakeholders and underlying technologies.

Through these discussions, the organization defines a tactical, phased approach to GRC program implementation and frames a common strategy that will allow it to progress to a desired state of GRC maturity. This common strategy also enables collaboration across the organization. After all, no company has a Chief GRC Officer. There are many, many stakeholders involved, and the success of a GRC program depends on how well those stakeholders engage with one another to share information and integrate their efforts for a holistic view of risk and compliance across the enterprise.

The Archer Community is pretty passionate about the GRC strategy roadmap, and many members are going through the roadmap process as we speak. A large number of our customers are also looking to the Archer team for guidance in this effort, based on our experience in helping some of the world’s largest and most influential companies build and mature their GRC programs over time. Our GRC Strategy Roadmap service takes customers through a six-phase project in a matter of weeks, not months, and the final deliverables include a formal strategy document and an Archer application through which the organization can manage its GRC program implementation over time.

I invite you to submit your feedback on the GRC strategy roadmap here on the Archer Blog. Specifically, I’d like to hear your thoughts on the questions below. Please note that your responses will be posted anonymously.

What are your biggest challenges in getting stakeholders across your organization aligned on a common GRC vision and strategy?

Have you developed a strategy roadmap for your GRC program? If so, what value have you seen from this initiative?

Published May 10 2010, 01:15 PM by Sarah Nord (Historical)

Filed under: Archer Experts, Archer News, Best Practices, David Walter, GRC, GRC Strategy Roadmap

Attachments

david_walter_left.png

Comments

Twitter Trackbacks for Moving Up the Maturity Curve with a GRC Strategy Roadmap [archer.com] on Topsy.com said:

Pingback from Twitter Trackbacks for Moving Up the Maturity Curve with a GRC Strategy Roadmap [archer.com] on Topsy.com

May 10, 2010 2:36 PM

Post My Comment

About Sarah Nord (Historical)

As Archer Marketing Communications Manager for RSA, The Security Division of EMC, Sarah Nord oversees the planning, development, delivery and analysis of strategic marketing programs. She also serves as senior writer and editor for RSA Archer marketing content, including web copy, press releases, data sheets, case studies and blog posts. Sarah holds a BA in Professional Writing and an MA in Writing from Missouri State University. She is also RSA Archer Certified.