Wondering if or how you should migrate your legacy cybersecurity, risk, and compliance technology (also known as GRC)? You are not alone. I continue to hear several common themes from clients who are facing the challenge of modernizing their GRC program, processes, and technology and wanted to provide my perspective on how to approach it based on my experience supporting clients with this in recent years.
What can make GRC so uniquely challenging is that it is inherently cross-functional. GRC intersects multiple functions across the business which commonly include cybersecurity, legal, finance, digital/IT, audit, and often numerous product or engineering organizations—all of which are responsible for a variety of compliance obligations and for measuring and monitoring organizational risk. Bringing these domains together into a unified program, on a common technical platform such as ServiceNow, is not an easy undertaking—but can be of immense value to executives and the board if successful.
Here are a few common steps followed by organizations successfully driving GRC transformation:
- Level-set on your organization’s definition of GRC. Start with the vision and purpose of the program and establish a consistent understanding of what GRC means for your organization as well as a matrix of responsibility and accountability for each related function.
- Keep leadership bought-in and engaged. This means much more than having names listed on a slide or a few ad-hoc touchpoints on progress. Leadership that is truly bought into the value of GRC greatly helps in clearing common barriers to a valuable GRC technology transformation and strong ongoing cross-functional alignment. This is often effectively achieved through the establishment of strong governance mechanisms—or regular forums for key decision-makers to discuss the outcomes and evolution of the GRC program which would include a technology migration.
- Aligning the organization on a common framework, then aligning on the tool selection. These are crucial steps which can present many challenges. There are point-solutions (or tools tailored for specific use cases), and a variety of comprehensive enterprise platforms to consider, including ServiceNow, and more specifically ServiceNow Integrated Risk Management products. It is important to build consensus at the executive level around the strategic goals of the organization and the framework that the technology will support, with buy-in from all parties to avoid fragmentation or challenges with adoption. Consider conducting your analysis using a transparent scoring methodology to bring objectivity into the decision.
- Create and publish a comprehensive strategy. Define the key objectives the migration is setting out to accomplish, the processes and functions that will be part of the migration, and the way the migration will be executed along with the key outcomes to the business.
- Build and socialize a GRC maturity roadmap. Think about establishing value quickly and in a phased manner, avoid a big-bang deployment and instead focus on incremental releases that quickly gauge end-user feedback and make corrections quickly. Executing a migration using agile software development principles will build trust quickly with the first groups onboarded to the new GRC platform and incentivize others within the organization to join.
- The migration is just the beginning! The evolution of the platform, introduction of new features, and onboarding new cybersecurity, risk, and compliance uses cases make establishing ongoing product management and DevOps crucial to success. Don’t wait until after initial go-live to define your operating model. Make the transition from the initial migration to ongoing evolution seamless with a logical hand-off of initial deployment to ongoing DevOps teams—and show the continued evolution of your organizations GRC technology journey against your roadmap.