What Is FUD?
FUD!! In today’s constantly and rapidly changing business world, the terms “Fear”, “Uncertainty”, and “Doubt” (FUD) are often used to
How often have you seen your Governance, Risk, and Compliance (GRC) program fail to achieve your expected objectives? How many times have you needed to redo your GRC program. Why is it that my IT GRC, or some other siloed GRC program, does not support my enterprise business needs? Why do I find my organization recreating GRC programs time and time again?
Enterprise GRC forms the backbone of all organizations. It is core in defining the company’s goals, supporting strategic objectives and ensuring ethical operating practices and regulatory compliance, with risk being the guiding principle.
Too often, GRC emphasis is on compliance with regulatory requirements. It becomes a cudgel to keep personnel “inline”. If your personnel feel that they are being continuously monitored and sanctioned for non-compliance, their efforts will focus on avoiding being called out and embarrassed. How does strict compliance encourage innovation? Where are the incentives for personnel to identify new opportunities and the freedom to introduce them for a measured risk assessment? And speaking of risk, this brings me to the next failure in GRC – effective risk management.
Risk management shouldn’t be only focused on addressing threats. Effective risk management is about creating business improvement opportunities. The key term here is improvement. What can you do to improve the business? True, reducing threats can improve the business but how do I allocate my limited resources to enhancing the success of new business endeavors while reducing threats to me? You do this by creating an open and transparent risk management program. A well implemented risk management program encourages your people to collaborate and exchange ideas about both opportunities and threats. In this manner, your organization can quickly identify issues with common roots and prioritize solutions having the greatest benefit to you. You evaluate opportunities and threats in the same manner and rather than having personnel view risk management in a negative light, they come to appreciate it as a method of improving their jobs.
This brings me to the last component of GRC – governance. In an underperforming GRC program, the governance component is focused on defining the rules that personnel shall or must follow. How many policies have you seen that state: “You shall / must adhere to requirement X or Y”. While these statements are acceptable and necessary in meeting legal and legislative requirements, they do not provide the important guidance needed to support your personnel.
Think of governance as the ring within which your people are allowed to operate and not face unwarranted criticism. Using accepted policy and regulatory requirements coupled with business-area specific procedures and success metrics, they are allowed to perform their jobs autonomously. This in turn foster a sense of ownership in the organization’s success.
Let’s look a bit deeper in the two primary components of governance.
2. Governance is to encourage and support continuous improvement. This component:
It’s your front-line people that are best positioned to tell you what’s working and what’s failing with your GRC. Without this feedback, your GRC program stagnates, people become disillusioned and eventually disengage from supporting GRC. Afterall, who wants to be associated with a failing program where you only are criticized for not complying?
In summary, a well-developed, sustainable GRC program has the following:
FUD!! In today’s constantly and rapidly changing business world, the terms “Fear”, “Uncertainty”, and “Doubt” (FUD) are often used to
IT / OT Convergence is an industry term that became more prominent with the Industry 4.0 movement. With the introduction