According to a recent McKinsey survey, “corporate leaders see a ‘need for improvement’ across numerous aspects of [GRC],’” a finding that probably surprises no one. From where I sit, the most interesting takeaway – my reckoning, not theirs, to be clear – is how much organizations’ approach to governing information contributes not only to this relatively poor showing, but to the ability to improve matters as well. It truly is the tie that binds.
Take, for instance, report’s conclusion that “across industries, there are […] some common pain points, including limited tech enablement, insufficient resourcing of oversight capabilities, and the challenges of a shifting regulatory landscape.” Based on my own experiences as a consultant in the space, I see the clear intersection of GRC and information governance at every turn:
- Tech enablement, which reads to me as the implementation, augmentation, or simple activation of technology tools that directly support the next two items (and plenty more). These days, the list of options is topped by AI, which is only as good as the information it bases its results upon – thereby requiring the application of governance practices to enhance information findability, classification, retention/disposition, privacy, security, and quality.
- Insufficient resourcing of oversight capabilities, which speaks to the need for policy-setting, monitoring, reporting, and accountability – and more broadly, changing the organizational culture to embrace such things. These elements all require the collection, analysis, and leveraging of sound data ranging from operations (e.g., process efficiency and engagement) to HR (e.g., the tracking of governance-related training completion). Information thus is critical to addressing this shortcoming.
- The challenges of a shifting regulatory landscape, which in the information context is centered on staying current with changes in compliance requirements and making the governance adjustments necessary to keep pace. Chief among these are the central disciplines of updating your retention schedule and any of your policies that are affected by the new rules. Of course, you first have to know where these things are and what they say, two issues that I run into all the time.
There are plenty of other points the survey makes that lead me to the same logical end, but you get the idea: GRC programs live and die according to the strength of the information that supports them. If that information is well tended, then we can feel good about the job we are doing. But if it isn’t, then we are limiting our effectiveness right from the start.
Want to know more? Click here to schedule some time to talk. No charge; it’s all just part of the service.