GRC 2.0: No Longer the Shawshank Crawl

There is finally some joy in GRC-ville. As the formal procurement cycles for GRC (and in particular Enterprise Risk Management like 3rd party risk and vulnerability management) continue to grow quickly, one thing really stands out.

How many new projects are to simplify an earlier attempt at enterprise risk, that either was never operationalized, or was done so at a very unbalanced cost vs benefit outcome.

First generation GRC/Risk projects were painful. The “products” available in the market were at best a very rough starting point with a huge amount of programming and integration work to be added, at significant cost and over a long period of time. At worst, the whole thing was developed as custom code by a group of engineers, yet sold as a “product”. In either case, the result was what I call “The Shawshank Crawl”. A somewhat unimaginable process to get through. (Yes I am a movie fan. If you’ve never seen The Shawshank Redemption, you’ve missed a good one)

What I love today is seeing customer’s eyes light up when they see the maturation of the solutions in this space. They now realize that the second time around will be much easier, and that there are purpose-built products from a new generation (yes like RiskVision) that offer a step function improvement in the data model, automation tools, analytics, and pre-integration with key ecosystem partners and content sources. I think its fair to say customers can finally expect a GRC/Risk “product” today. 

Let’s look at a three macro dimensions that have seen dramatic improvement vs 1.0 approaches.

The data model. This is where it all starts. Smart connectivity with a large number of ecosystem partners enables fast population of the data model. Advanced correlation engines ensure high performance functionality, regardless of the query. And no silos. Each use case uses the same integrated data model. And finally SCALE. Risk today is becoming a big data challenge. You need to support thousands of practitioners and millions of assets / objects.

If you need a place to start your evaluation of new GRC / Enterprise Risk solutions, for goodness sakes, make sure you start with the data model. The foundation, like in a building, is the key. 

Automation. One word, but very powerful. Automation has significantly improved the process of getting your new solution operationalized. Automation of content mapping, leveraging pre-built workflows, data ingestion with filtering, self service BI, UI customization and more are available today “out of the box”. But the biggest advancement in automation is the ability to configure, not program, changes.

Maybe the single biggest advancement in GRC/Enterprise Risk 2.0 platforms is the ability to configure – not custom program – virtually all workflow changes. 

Risk Scoring and Analytics. Let’s face it, its all about board reporting today and the dashboards and heat maps that can be generated in near real time. But it's also about easily slicing and dicing risk intelligence for line of business leaders, security personnel, IT team members and more. One data model, multiple reporting/UX options. There has been a lot of innovative in risk scoring algorithms to quantify and prioritize risks based on multi-attribute weightings for business priorities, security data, and operational and compliance policies.

Modern analytics enable enterprises to quickly visualize business critical risk and make remediation immediately actionable.

There are certainly other key improvements in GRC/Risk Intelligence 2.0. It can be on prem or in the cloud for example. But the real value is in the customer implementation experience. GRC 2.0 approaches, like RiskVision, offer significant usability, scale, automation and time-to-deployment advantages over 1.0 projects – at a fraction of the cost.

 To complete the Shawshank reference, GRC 2.0 is a lot like a day in Zihuatanejo. OK, that’s not really true. But it’s a lot better across a number of dimensions.

As always, let me know what you think.

Keith