I was recently discussing IT GRC program implementation with the CIO of a growing, mid-sized software company when he presented the question, "But HOW do you do it? I mean, how do you get employees to follow the rules in a GRC program?" The following is the second part to my response to his question?
...After the matrix team is established, a series of environmental assessments and gap analyses relating to risk, controls, policy and procedures, etc. begins. Process and control owners get involved in updating and/or creating necessary key control processes in the form of process maps, risk matrices, control and risk standardization and integration, test plan development, etc. Around this time we also recommend that businesses begin working on procuring a system of record that is going to house it all.
Once the control environment begins to take shape, the Compliance and Awareness Training Phase - another critical element of the program ? is developed. This step is probably one of the most critical success factors of the entire implementation because it allows management to communicate the IT GRC vision, while allowing process and control owners to train and delegate that vision to their teams.
As a result of this training, the matrix organization understands compliance initiatives will be measured using a series of self-assessments, with results reported to Executive Management, the Board of Directors, Audit Committees, etc. Conversations about controls and applications not operating effectively, test failures, significant deficiencies, etc. will create immediate incentive in the minds of the process owners to ensure their teams begin "following the new rules."
Self-assessment testing should be followed by training and awareness sessions that report the results to the matrix organization. Rewards and public recognition for successful testing creates incentive to keep doing it, which naturally stabilizes the control environment with sustainable operational effectiveness. Public embarrassment (for lack of a better term) creates immediate incentive for remediation to occur in areas that are operating ineffectively, and the environment again begins to naturally stabilize.
Following this framework, we have seen clients go from hundreds of deficiencies and multiple ineffective applications to no deficiencies, no ineffective applications, and only a few exceptions noted (which is an acceptable risk because you can't manage to perfection).
True doesn't implement the IT GRC Program for you. We enable you and your teams to be champions for the organization by transferring our knowledge base and expertise directly to you.
After a short pause this CIO responded, "Sweet!" He is now a client.