To build a successful enterprise governance, risk, and compliance program, companies need a solid roadmap that aligns people, processes, and information.

David Walter, RSA director for Archer eGRC Solutions, discussed ways in which companies can achieve that, during a recent seminar at Compliance Week’s annual conference in Washington, D.C., this week.

There are many different maturity models around governance, risk, and compliance, said Walter. To assess where your company is in the GRC maturity lifecycle, consider these four main stages:

Stage 1: Reaction mode. This stage is where most companies were when Sarbanes-Oxley came out. It’s treating GRC as a project—as opposed to a program, and is about getting to a state of compliance without really understanding it from a strategic point of view, explained Walter.

Stage 2: Anticipation. This is where most organizations are today, he said. It forces the question: What’s going to be on the horizon that you’re going to have to react to and need to comply with in the future? “From an anticipating perspective, we’re understanding not only what we need to react to, but also how to make us more efficient at that reaction.”

Stage 3: Collaboration. This stage is about combining risk management and audit management, as well as identifying global risks and prioritizing those functions.

Stage 4: Orchestration. This final stage is about managing in unison and working together to achieve GRC, which means being “sustainable, consistent, efficient, and transparent.” Using things like platforms that enable transparency to happen is an example of the orchestration stage.

Walter also discussed how to tactically get to a strategy. Typically, there are no GRC officers that really manage all these functions. As such, consider having a steering committee, he suggested.

“If you don’t have the facility to enable that to happen at the management level, and having management buy in, how can you make GRC happen?” he asked. So have a committee structure that enables the conversation to happen to go about doing GRC is going to be essential. “Every company that I have seen be very successful in GRC has had that type of approach,” he said.

GRC Roadmap

There are four steps that make up the GRC Roadmap. The first step is planning. This step is that committee organization and committee structure, defining which processes are going to be included in GRC. The key word is process and, “wrapped around that process are people and technology.”

Since people are part of the processes, “identifying champions within those processes is going to be essential.”

The second step is discovery. This step is “really understanding and guiding those processes.” Because processes is essential, you need to understand the elements of the process; this means understanding who the people are involved, and what information is involved, he said. Dependency is also key, having an effective audit part to understand the risk of the organization.

The final steps three and four are analyzing and publishing the data.

--Jaclyn Jaeger