All great shows must come to an end. The curtain is nearly closed and the last echoes of my final song are waning as I finish up my series on the “Groove Theory of GRC”. I hope you have enjoyed this running analogy and it has given you a few ideas on how to spice up the conversation in your company around GRC. However, I have one last piece of the analogy. Music, like all art, depends on a unique and sometimes instantaneous combination of skill, talent, experience and inspiration. Music also has an interesting aspect as it has its own language and method of notation that can document the initial intention of the composer and allow recreation of the art. Bach’s “Brandenberg Concerto No. 3 in G Major” played today is very close to the original performance as envisioned by the composer. This is due to the meticulous annotation of the musical form.
This series of blogs has been a long and winding road leading to the release of the RSA Archer GRC Reference Architecture. The following graphic has been developed by RSA Archer GRC strategy team in collaboration with the Archer Customer Advisory Council as a simple notation of GRC programs.
My four postulates to the Groove Theory were meant to summarize what is encapsulated within the picture:
“Postulate #1: Optimizing Business Performance is the end goal; Visibility and Accountability is the method” highlights that optimizing business execution by providing management with visibility, efficiency, collaboration and accountability across the enterprise is the final objective of GRC. The overlay and output of the program at the top of illustration identifies these outputs.
“Postulate #2: The more pieces of the business involved; the more complex the challenge but the greater the value” admits that GRC can turn complex as more pieces of the business are brought into the program. The layers of Management, Functions and Operations depicted on the front of the cylinder shows this critical connection and when this bond is built, the value begins to truly impact the organization.
“Postulate #3: Great GRC programs are founded on Key Processes that guide the organization, make the end goals of risk and compliance personal and ultimately become part of the culture of the organization” underscores the need to have integrated, defined and responsive processes that bring cohesion to the GRC program. This is denoted by both the GRC core of the cylinder and the flow of arrows indicating a continuous GRC lifecycle that connects GRC efforts through all layers of the organization.
And finally, “Postulate #4: The transactions and operations of the business come first and GRC must provide the framework to explore and exploit opportunities” recognizes that the GRC program must connect with the day to day business through the Transactions and Infrastructure that forms the foundation of the entire program.
The objective of the Reference Architecture is to help place processes, technology, projects or other components of a GRC program in the context of the bigger picture. While the graphic may seem simple, it provides a multi-dimensional background to define where efforts are being initiated and help frame the discussion. A picture may be worth a 1000 words but a concept as complex as GRC is difficult to capture in one picture. Therefore, the Reference Architecture is just one tool available to help guide or frame a GRC program.
For those of you with access to the RSA Archer Community, I am pleased to offer this white paper, published in collaboration with the Archer Customer Advisory Council, as an overview of the architecture. The paper also includes Guiding Principles and Key Objectives for GRC programs. I hope this illustration, along with the “philosophical” framework with which the work was based, can help your organization create its own song sheet for its own masterpiece symphony – “Concerto No. 1 in GRC Major (success)”.