Mason Karrer

The Main Thing About Maturity Is

Blog Post created by Mason Karrer Employee on May 5, 2015

We’ve recently begun rolling out our new RSA Archer Maturity Models, a unique set of resources designed to help customers better understand and navigate their GRC journeys. The concept of a maturity model is certainly not new, especially in the technology world. However to me one of the more frustrating aspects of typical technical maturity models (besides being abstract and not GRC focused) is the tendency to have a rigid, unforgiving way of making you feel inadequate no matter what you accomplish. So we set out to create a fresh, new spin on discussing operational maturity in a way that’s more instructive and GRC-centric. Our maturity models are very approachable to help customers easily identify where they currently are in their journey so they can set realistic goals for where they want to go next, and most importantly provide specific guidance for HOW to get there!


In our initial announcement a few weeks ago we introduced the basic approach across the seven GRC discipline areas we focused on for this first round of models. The Regulatory and Corporate Compliance Maturity Model details dozens of specific aspects necessary to build a mature compliance program from the ground up; and transform disconnected, inefficient risk and compliance motions into an integrated and differentiated system of activity and source of enterprise competitive advantage.


Celebrated business executive Jim Barksdale was notorious for his creative business expressions including his “Main Thing Principle.” His mantra: “The main thing is to keep the Main Thing the main thing”. During his tenure as COO of FedEx his frame of reference was a little different than ours here but the idea is the same. Every organization, every program needs a “Main Thing” – a central driving concept that forms the basis for success. That one thing is what people must clearly understand above all else in order to realize the potential.


One of the key elements you’ll hear us echo repeatedly is the importance of building business context. If there’s only one “main thing” in GRC then I would argue that’s it. Because it’s that rich business context that unlocks the inherent potential that exists within every organization’s operations. Without that context we don’t know what we don’t know, let alone how to prioritize goals that harness risk and transform compliance in meaningful ways to deliver real, tangible value through GRC initiatives. As Jim Barksdale would say, “You can’t manage that which you cannot measure.” (He would also say “In a fight between a bear and an alligator, it is the terrain which determines the winner.”) I’ll leave it to you to apply that latter pearl of wisdom on your own.


In the meantime I encourage you to take a look at the maturity model white paper for Regulatory and Corporate Compliance and the other Maturity Models, along with our Risk Intelligence Index on the RSA Archer Community. My fellow GRC Strategists and I are excited about the conversations these resources are inspiring with customers as a new backdrop for them to plan their GRC journeys and ramp up their programs. If you have any feedback or would like to engage in a consultative maturity model discussion in your organization, please email me anytime!