My team and I have been having many discussions lately on the evolution of GRC programs and the value of integrating or supplementing tangential processes with data flowing in and out of risk management activities. Much of this discussion is fueled by the efforts we have had on the solution development front. Over the past two years, much work has gone into updating our solutions based on industry practices and how our customers use RSA Archer to implement a wide range of GRC use cases. We have been working diligently towards deeper and deeper integration across modules and streamlining data sharing between core GRC processes. In addition, our integration to our Security Analytics has continually progressed towards providing information security management processes with business context to improve security.
As the conversation around the value of connecting processes within GRC progressed, the idea of a “Value Ceiling” for certain operational enablers and processes emerged. Certain niche technology enablers have a point where the tool is bringing value for the immediate needs but there is more value to be extracted if that technology enabler could be used for broader purposes. In other words, there is POTENTIAL value that could be derived beyond the initial scope of the technology IF the technology can share data or enable other processes. A Value Ceiling is the point where the technology enabler achieves its operational value but can no longer provide greater potential enterprise value due to constraints, disconnectedness or some other barrier.
In June, I posted a white paper that was written in collaboration with the GRC Strategy team and the Customer Advisory Council releasing the RSA Archer GRC Reference Architecture. The GRC Reference Architecture was designed to help put context around the vast universe that is GRC. The illustration, guiding principles and objectives outlined a framework to think about what the true goals of a GRC program are, how the GRC program needs to flow top down through the organization and where certain processes, technologies, roles and responsibilities fit into the big picture.
I am pleased to combine these two conversations into this paper “Breaking Through the Value Ceiling”. Technologies implemented to meet operational needs bring tangible benefits to an organization with focused, tactical functions. These tools bring value to organizations due to the focus on the specific business challenge at hand and most often help achieve goals at the operations level. However, certain processes need to lead to greater enterprise value. This paper uses the RSA Archer GRC Reference Architecture to illustrate the value of operational technologies while acknowledging there is a “value ceiling” of some niche operational tools highlighting the missed opportunity for broader value.
The paper includes some simple questions to ask yourself about key processes and technology enablers in your organization. It is a simple concept, but I hope this piece ignites discussions in your organization about ‘value ceilings’ and unlocking benefits within your GRC program.