Skip to main content

It may be a good thing that when many organizations start their IRM/GRC effort they don’t realize the enormity of the journey ahead of them. In fact, most organizations do not have the final destination in mind when they start an IRM/GRC initiative; rather, it begins inside a single function and is sparked by regulatory pressure or a front-line manager wanting to reduce risk.

At some point, though, the enormity—and importance—of the journey comes into focus. And at that point, the best, easiest way to move forward is simply to take one step at a time. Inevitably, this will get you to the destination.

You’ve likely found this article because you’re part way into your GRC journey and seeking to understand what’s next. Good news: you’ve come to the right place.

In this article, we break down the GRC maturity journey that was documented over a decade ago by global nonprofit think tank OCEG. Their “map” breaks down the journey into five steps. In this article, we highlight what each step looks like as far as milestones and initiatives related to your org structure, processes and technology. Our aim is to, in a few minutes, help you pinpoint roughly where you are in your GRC journey, and understand what’s upcoming. It should also give you enough information to have meaningful conversations with vendors about helping your organization move forward.

5 must-haves for your GRC journey (no matter where along the path you are)

Like a mountaineer needs a backpack of critical gear, every organization, no matter where they are on the path to GRC maturity, needs five things to be successful. These are as fundamental as water and good footwear for a hiker; without them, your organization will face significant difficulties.

Management commitment
The degree and level of leadership commitment to overall risk and compliance management culture, strategy and priorities should be established as maturing GRC processes takes time and resources.

Performance and acceptable risk
Defined levels of performance and acceptable risk for the business need to be established to set the target state for the GRC program and ensure the business understands the level of effort and benefits involved.

Expectations and measurement
Clear expectations and success criteria defined for the GRC program must be communicated by management to guide strategies.

Stakeholder involvement
Key stakeholders and constituents need to agree on the importance of continuous improvement and maturity of GRC processes.

Budget and resources
Sufficient resources for the GRC program must be committed to achieve success.

Stage 1: Siloed

Summary

This is the first stage of the journey for every organization. At this time, you’ll be focused on baseline activities to manage risk and compliance. The telltale sign you’re in this stage is your GRC activities are taking place in just one functional area such as IT, audit, or finance—i.e. in a silo. It’s possible that other functions in your organization are undertaking GRC efforts, too, but if so, they are siloed rather than sharing an overarching strategy. In essence, each function runs its own show with the goal of creating a smoother, more synchronized GRC landscape over time. Finally, as activities pick up steam within the function(s), governance processes start to shape up. However, most functions lean on support from vendors.

Milestones during this stage

Org structure

  • Most of the work unfolds with the person in the function who’s responsible for the GRC work (OCEG calls them the “2nd line of defense”).
  • Awareness and education initiatives, such as security awareness or audit training, mainly channel requirements to business operations within their own realm.
  • Policies and control structures are established within the function, guiding requirements that cascade down to frontline employees.
  • People outside the function, like business partners in operational groups, stay relatively uninformed about the inner workings of risk and compliance.
  • Issues like risks or control gaps are handled independently within the function.
  • If multiple functions have GRC initiatives, they individually hire consultants/vendors who’ll then organize and execute engagements within that function.

Processes

  • Strategic plans are shaped based on business cases tailored to each function’s specific needs. Requirements are outlined, and resources are earmarked to execute the plan within the functional group. This process propels domain-level projects, all tracked and managed using the unique processes of each function.

Technology

  • Technology plays a role but is mainly tailored to meet operational needs within the function(s). Whether it’s desktop tools, homegrown systems, or even specialized GRC technologies, they operate within the function for a defined set of use cases.

Stage 2: Transition

Summary

This stage will see you steering your GRC program toward integration and realizing big benefits as domain-level efforts expand within functional groups. Executive sponsorship gains traction, urging functions to see the perks of leveraging processes for greater GRC benefits. Frequent talks among stakeholders, especially executive leadership, fuel this shift as your domains mature their processes.

Milestones during this stage

Org structure

  • As groups communicate more, awareness spreads across domains. This leads to setting up an integrated GRC awareness framework for the 2nd line of defense. Risk and compliance groups start sharing across domains, boosting the overall effectiveness of the 2nd line of defense.
  • A need arises for a common business hierarchy to report risk and compliance issues.
  • Policies begin to play a crucial role. And along with them, work to harmonize/standardize them.
  • Commonplace issues lead to consolidation for efficiency.

Processes

  • Executive sponsorship is established.
  • Roles and responsibilities get formalized and two integrated governance structures form:
    • GRC program committee to propel your overall GRC strategy.
    • GRC technology committee to focusing on technology supporting your GRC program.
  • As these committees collaborate, oversight coordination improves, leading to decision authority for integrated GRC program elements. With enhanced cooperation, external service providers can consolidate, focusing on preferred partners.
  • Taxonomies begin.
  • A long-term strategy for the integrated program takes shape.
  • Documentation of existing projects begins in order to understand each group’s direction and monitor metrics for successes and challenges. These inputs become vital as your integrated GRC program strategy emerges.

Technology

  • Cataloging your tech used in each domain begins. The aim is identifying tools used by each group and aligning the technical setup with taxonomy development for common elements like business hierarchy, policies, and issues.
  • A software development lifecycle (SDLC) may start. Since most groups have technical solutions for domain-level issues, introducing a SDLC for GRC tech ensures future efforts are coordinated.

Stage 3: Managed

Summary

Entering the Managed stage marks a significant leap in your organization’s maturity. Your operationally-sound program now impacts daily operations. While you might spend considerable time in this third stage untangling the complexities of integrating risk and compliance across functions, it’s crucial to know this isn’t your final stop.

Milestones during this stage

Org structure

  • As your GRC governance groups continue their work, coordination across functions increases and naturally leads to the creation of a decision authority for integrated elements of your GRC program. This goes hand-in-hand with your growing taxonomy.
  • The increasing cooperation pan-function also allows for a consolidation/sharing of vendors.

Processes

  • Beyond the 2nd line of defense awareness framework established in the Transition phase, your next move involves a strategy for converging the education and training programs for your frontline workers (aka, your 1st line of defense).
  • Establishing one view of risk and compliance responsibilities across your organization is pivotal for your organization’s risk culture.
  • Taxonomies initiated in the Transition phase continue in the Managed stage, now expanding to include assets, risks, and controls.
  • Your documented strategy and roadmap will now include key objectives, technical requirements, and resource needs.
  • Projects become more intricate, necessitating a project management office to coordinate execution and report.
  • Metrics become crucial for identifying milestones and critical junctures, aiding later optimization.

Technology

  • The technology usage cataloged in stage two allows for the migration or integration of GRC technologies.
  • The evolution of your technical infrastructure necessitates a formalized integration development team and technical support team for successful technology projects.

Stage 4: Transform

Summary

This stage sees a shift toward more meaningful communication across your program. After substantial effort in stage three to confirm and prove your work, the momentum toward integration may create logjams in priorities and resource crunches. This stage is crucial for stabilizing your efforts and ensuring your organization reaps the expected value from the GRC program.

Milestones during this stage

Org structure

  • With major governance committees established in stage three, now these bodies are propelled into an operational state.
  • The management team is formalized and engages in regular governance activities like supporting and sponsoring taxonomy work, and prioritizing projects.
  • These bodies also serve as your key representatives, communicating progress to executive management and other functional leadership.

Processes

  • Cultural impacts manifest in a more cohesive awareness program.
  • Testing processes to enhance the awareness and integration of risk/compliance priorities and responsibilities for frontline employees improves overall acceptance and accountability.
  • Additionally, the taxonomy work initiated in stage three needs implementing. With common taxonomies for core elements like assets, risks, and controls, you can implement integrated asset management, control assessment, and risk assessment processes. Although processes may not be entirely combined or consolidated, describing these components using a common language greatly improves the impact on reporting GRC issues.

Technology

  • You’ll move to a truly managed and operational technology infrastructure. This requires implementing your operational model (chargeback or cost-sharing depending on the general IT models of your organization).
  • Regular health checks and metrics on your technology stack should be conducted as your program continues to onboard processes, functions, and other data stores.
  • Managing incoming requests will require more rigor, as well as a controlled and prioritized change management program.

Stage 5: Advantaged

Summary

In the ultimate stage, significant elements are consolidated and, finally, GRC processes seamlessly align with business needs, objectives, and strategies. The pivotal development is the adoption of common taxonomies, enabling a truly integrated view of risk that informs prioritization based on business impacts.
Your GRC program has hit full maturity and has a comprehensive view of risk dimensions and issues visibility. Now, your risk and compliance program is a competitive advantage for your organization.

Milestones during this stage

Org structure

  • Governance structures can welcome new functional groups into the broader strategy.
  • Training for both 1st and 2nd line of defense employees has forged a risk-aware and educated workforce.
  • Prioritizing and implementing taxonomy development for additional GRC elements, like incidents, regulatory obligations, crises, etc., enhances consistency across the organization.
  • An integrated risk prioritization process is implemented, enabling the identification, assessment, treatment, and monitoring of risks using shared measurements.

Processes

  • Program management exploits the integrated nature of projects and strategies to optimize and rationalize financial investments in GRC.
  • Ongoing strategy management involves regular planning and monitored execution.
  • With your program running for a considerable period, benchmarking against peers and industry provides valuable insights. This, coupled with established metrics, fuels continuous improvement.

Technology

  • The technology infrastructure achieves an operational steady state where program changes drive technical operations. This involves managing data integrations between systems of record, maintaining a backlog, and creating a roadmap for technical requirements.
  • Many organizations at this stage establish a “GRC Technology Center of Excellence” with dedicated technical resources collaborating with functional teams and businesses to implement systems supporting the program.

As your organization traverses these five stages of GRC maturity, you’ll discover the journey is not merely a progression but a strategic evolution toward operational excellence. It takes years, not months, and will likely have some twists and turns, so use this maturity model as your North Star.