Urgent is Loud, Important is Quiet
Are you listening to the quiet stuff?
In some of my earlier posts I talked about factors that influence challenges that organizations face in implementing a sound Technology GRC program. As I mentioned, there are three types of factors.
- Environmental, those outside your control – Earlier Blog
- Strategic, how you choose to respond. And
- Operational, how your response is implemented.
I will talk about some of the strategic challenges that organizations face in formulating an effective Technology GRC programs. These strategic challenges are due to
- Where the organization sits, i.e. the product-markets that the organization operates in
- How the organization responds to such challenges, or the Leadership support to initiatives where there is no measurable ROI
- What is the culture in the organization? How does the organization assign responsibility and authority for data and technology governance.
Let’s look at all this in some more detail.
The Business Environment
The Business Environment that an organization operates in sets the stage for the type and complexity of the Technology GRC program that needs to be put in place.
The complexity of these programs is directly proportional to how dynamic is the product-markets that the organization operates in. The more dynamic a marketplace it is, the more the organization will need to keep changing to stay competitive in that market. And that makes the task of securing your technology assets that much more difficult.
The more dynamic the business environment, more is the likelihood of ongoing digital transformation and interconnectedness in the organization.
Rapid technological advancements open new holes in existing defenses thereby introducing new risks. All this requires an adaptable and scalable Technology GRC approach so that these new risks can be addressed on an ongoing basis.
Similarly, the complexity of the GRC program will depend on how many jurisdictions the organization operates in.
Take geography. If the company operates in multiple countries, it will be subject to technology regulations in each of those countries. In US you may have to deal with SOC, HIPAA, Hi-tech or one of the many other regulations. In Europe it may be GDPR and ISO. It is RBI, SEBI, IRDAI and many others in India.
Or if you operate in multiple business domains (jurisdictions) you will be subject to regulations specific to that industry. If you offer insurance products, you may be subject not only to Insurance regulations like NAIC Insurance Data Security Model Law in the US or IRDAI guidelines in India, but also Banking and other FinTech regulations.
What a complex web we weave!
Organizational Leadership and Commitment
Important always takes a back seat to urgent.
One of the more challenging aspects of putting a Technology GRC program in place is that there is no direct ROI. There is no upside like increased revenue or cost savings. There is however a significant potential downside IF there is an ‘event’.
And that ‘IF’ is what makes it challenging. It requires a strong leadership commitment to such programs that have no clear quantifiable ROI.
It is not enough for Organizational Leadership to recognize the need for a strong 
Technology GRC program in place because existing environment and culture are often not conducive to the success of such a program.
Some examples of cultural challenges that are faced while building such programs are
- The absence of a justifiable hard ROI makes it difficult to communicate the value of such programs. A quantifiable ROI is not possible to be calculated because the risks are not very clear or apparent.
- We have very often found that there is no clear GRC leadership with necessary wide-ranging authority to establish and manage such programs
- Very often GRC is sacrificed at the altar of growth – The tyranny of urgency
- Existing GRC initiates are fragmented and siloed. This is counterproductive.
All these challenges can be overcome with clear and decisive leadership action. But more about that later in future blogs…
Organizational Culture
The managerial and operational leadership also faces several cultural challenges in implementing and managing a successful Technology GRC Challenges. Some of these Organizational and Cultural challenges are
- There is not enough importance and attention given to Technology GRC tasks. It is always thought of as something that can be taken care of tomorrow.
- There is no single person who oversees Technology GRC and has the necessary
authority to take decisions. As a result, there are multiple stakeholders with competing objectives. This is exacerbated by lack of collaboration and an inherent resistance to change. - GRC efforts are quite often not adequately funded with time and resources. These efforts often take a back seat to more urgent operational imperatives.
- Technology GRC is seen as a task not an ongoing process. This is very harmful to meaningful Technology GRC implementation and adoption.
- Additionally, where they exist, GRC frameworks are geared to traditional static technology environments, not to an evolving and adapting infrastructure.
- Teams are not aware and are not adequately trained. As a result, they don’t know what their role in the GRC process is
These strategic factors that came to light in my discussions with people in the industry showed that there are significant challenges to implementing a successful Technology GRC program. In short…
Businesses prioritize growth over governance; it’s difficult to justify an investment that gives no clear quantifiable return; lack of clear leadership on technology GRC issues; and fragmented, one-off approaches to technology GRC based on expediency, all present significant challenges to the success of Technology GRC initiatives
This showed very clearly that…
‘Important’ always takes a back seat to ‘urgent’ because it does not scream from the rooftops.
Are you listening to the quiet stuff?
