What’s the best way to describe the maturity of governance, risk and compliance (GRC) capabilities?
You can take a traditional view where the scale moves from undefined processes, lack of documentation and siloed operations with activities that are difficult to replicate – to the other end which has a fully realized, integrated system of people, process, and technology. But another, perhaps more useful, way to discuss maturity is to look at it from the value perspective.
The goal shouldn’t be to have sophisticated processes that are supported by best-of-class technology just for its own sake. Why do we want a mature GRC capability? We want it so that we can feel more confident, and be justified in that confidence, as we make strategic decisions and take action to meet established objectives. The maturity scale should reflect not only the changing structures and processes, but also the related growth in confidence that enables the organization to be agile, coordinated, resilient, responsive to change, and all the other characteristics that drive success.
In OCEG’s 2007 and 2012 GRC Maturity Surveys, we began to see a strong correlation between integrating mature GRC capabilities and having feelings of operational and strategic confidence. This year, in the newest iteration of the GRC Maturity Survey, we see even more evidence that integrated GRC capabilities enable confidence about having the information needed to make strategic decisions, knowing the right controls are in place to address risk and requirements, and much more.
To get a sneak peak at the preliminary findings from the 2015 GRC Maturity Survey. Join me along with Michael Rasmussen, Chief GRC Pundit of GRC 20/20, and Joe Howell, Co-founder and Executive Vice President for Strategic Initiatives at Workiva for an initial webcast report. View the recording here. You can access the 2015 GRC Maturity Survey here.