Dos and don'ts for IT GRC success
DO agree on an IT-GRC implementation strategy. Moving disjointed, manual processes into an automated, centralized tool is an enormous undertaking. While a giant boa constrictor can unhinge its jaw and swallow a large mammal whole, that strategy is not advisable for your enterprise.
Choose a high-priority area for your initial implementation, preferably one that will produce a quick ROI. This will give you a record of success to build on and give you and the users a working knowledge of how to use the software, assess its value and share their knowledge with others. Take a top-down approach that will serve as a model as you expand, rather than a controls-centric tactic that won't scale well.
This first deployment should be initiated in the context of a larger plan for rolling out the IT GRC across the enterprise. After all, the goal is a centralized, automated, standards-based enterprisewide deployment.
"Initiate a GRC road map, looking at all different GRC processes," says RSA Archer's Aldrich. "Where do I need more help in terms of automating processes? Where can I increase speed by getting more information and make sure it becomes valuable to the business?"
DON'T neglect the stakeholders. IT GRC is a massive undertaking. It cannot succeed unless the people who are expected to use the tools effectively are intimately involved in the process. They know where the pain points are and how the processes work, they understand the business risks and potential benefits, and they are familiar with the polices, controls and compliance obligations.
Stakeholders include (but aren't limited to): IT operations and security, enterprise and operational risk, business continuity and disaster recovery, IT audit, general audit, and corporate compliance.
"You also want feedback from the lines of business," says Rasmussen. "They have to interact with the system. Look for champions out there."