Governance, Risk and Compliance
By Joe Crampton Modified February 7, 2021
One of the biggest challenges in GRC is demonstrating the effectiveness of a good program. An effective program identifies the key risks and implements controls where they will have the greatest impact. If everything works properly, then nothing happens. Success is commonly measured by the absence of an event such as:
After a couple of years, a strong GRC program often faces pressure to reduce expenditure. Regardless of the risk, an excellent track record in controlling it means that is no longer seen as a top threat to the organization, and as a result, funding gets reallocated. The following questions then remain:
Setting controls that detect, transfer or mitigate an event is difficult, but possible. The team needs to identify the number and severity of “almost” risk events—the events that were detected and mitigated—and contrast gross and net impacts.
Setting controls that prevent an event on the other hand, is extraordinarily difficult. How does a team identify the number of events that were prevented because a control pre-empted it? How can the organization evaluate the effectiveness of a policy or entity-level control that changed the environment to prevent an attempt? Is that policy still important? Is the training still required? Can/should these programs ever be reduced, or do they just grow indefinitely?
The solution to this problem is excellent record keeping.
“If you can’t measure it, you can’t improve it.” — Peter Drucker
An event management system needs to document and track all events. When a new risk treatment is implemented, the pre and post-treatment data needs to be contrasted, and the pre-treatment data needs to be preserved as a reference point for years to come. This reference can then be used as a quantitative ROI for evaluating program effectiveness.