GRC – Governance, Risk and Compliance
GRC is IRM (Integrated Risk Management)
Integrated risk management (IRM) is a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks. – Gartner
According to Gartner IRM requires;
- Content management
- Document management
- User event input/output, distribution, and communication
- Risk analytics
- Risk and control management
- Workflow management
- Audit management
- Dashboards and reporting
- Regulatory change management
The emergence of “fortress architectures”
1. Project Management Risk
Every good PM keeps a RAID log and in that is a Risk register. Risks will have typically a composite risk index – probability vs impact and also a stated risk approach strategy plus a categorization. These risks might be exposed to the business stakeholders but rarely further than that and thousands of risks are identified by PMs and teams never to be reviewed by the GRC team.
2. Digital Transformation Risk
Many organizations are going through some form of digital transformation. During planning, teams have identified program risks and impediments that could impact their ability to meet their objectives. Its likely that a scaled Agile program has its own toolkit that stores these risks also. Yet again how much of this is readily accessible by the GRC team?
3. Incident Management and alerting (ITIL)
ITIL4 has its own approach to risk management.Teams are awash in risks in IT operations. They are already being triaged by sophisticated systems such as Opsgenie into incident and problem – those underlying risks too need to find their way to a central GRC function when or if they are serious enough.
4. Business Cases
Every business case documented and submitted for approval, will have a healthy dose of risks also documented in a Word document or PowerPoint slides. Risks are everywhere to be found, being managed separately and in silos. Yet we know that business case risks are often based on IT risk of delivery and cost. So risks interweave in these different silos as well.
We believe there is a better way.
Jira is an example of a platform that allows you to manage anything. If its a risk, a story, a control, a request, a sale, an “anything”, that’s configurable out of the box. We call this a low code/no code platform.
Our clients use Jira for just about anything you can think of. The point though is that it can be used to deliver an integrated solution that breaks up fortress architectures without huge custom coding.
Today we know many of our clients indeed large numbers of organizations (2000+) manage risks in Jira. We’re seeing a trend to put all IT related risks in Jira already.
IT Systems who have entered as silos that do not support G.R.C processes, which by their nature span enterprise divides. Typical, legacy collaboration tools such as email and SharePoint, provide very static and “untraceable” streams of communication between departments and audit teams.
Let us show you how standardizing and leveraging Atlassian tools can provide advanced GRC solutions.
The approach we take is to start with a solution “blueprint” and a basic starting configuration.
This becomes a single platform to manage GRC and to replace fortress architectures as much as possible.
There are no boundaries in this solution (other than security/access) enabling GRC teams to see all risks real time as they emerge.
The Blended GRC solution includes detailed configurations and documentation supporting;
- Integrated OKRs for GRC
- Risk Management
- Audit Management
- Business Continuity
- Vendor risk management
- GRC documentation
- Line of business reporting
- Enterprise (rolled up reporting)
We provide our own Atlassian Marketplace app – Enterprise Risk Workflow and Issue Type.
Advanced Risk Management workflow and risk record specification aligned with PMI guidelines. Includes recommended best practices suggestions for advanced risk management.
This package provides both the issue type set up and custom fields appropriate for an advanced risk management process.
Best practices risk management requires more than just a workflow but also an adherence to the information needed about a risk. This configuration will support risk identification, evaluation, and control. It will also describe how risks can be converted from “risks to “issues”.
Watch our webinar on the launch of Blended Perspectives’ new “Fully Integrated Enterprise GRC Solution” called Synthesis™.
We will demonstrate the “why’s” and “how’s” of our integrated approach based on our Synthesis™ solution blueprints. Furthermore, if you already have Jira and Confluence we will show you how you can migrate to an infrastructure you already own saving potentially hundreds of thousands if not millions of dollars on a stand alone GRC solution.