GRC Journey Guidebook

MetricStream has distilled the best insights of our delivery team and customers to develop a guidebook that helps you plan and execute your GRC Journey. Many elements are embedded in the GRC Journey framework, and broken down into simple steps to be followed using artifacts, workbooks, or online resources. This data is documented in detail as MetricStream's GRC Journey Guidebook for Champions - designed for business sponsors and managers, GRC Program and project managers, and IT architects who are implementing GRC initiatives across multiple tracks as a strategic program.

The approach covers each phase of GRC Program Strategy, Design, and Implementation in a total of nine steps. Each step has four key elements: Overview, Artifacts, Process Overview, and Process Tips. The guidebook is dynamic and continuously improving through our experiences with customers, and our relationships with industry analysts and thought leaders.

GRC Journey Approach
Guidebook for Champions
Phase 1 GRC Program Strategy

 Step 1
GRC Program Vision, Goals and Needs

  • Vision: Identify trends driving GRC strategy and evolution, and how to adopt the right vision for your organization
  • Goals: Define GRC Program mission, goals, supporting strategies based on business priorities and regulatory requirements
  • Needs: Build a practical stakeholder analysis of key needs

 Step 2
GRC Maturity Modeling

  • Assess: Assess key GRC process maturity against the desired future state
  • Target: Conduct a Gap analysis on initiatives required to get to the desired target state
  • Gap: Rationalize Maturity goals and key initiatives into stages

 Step 3
GRC Governance Model

  • Govern: Identify Governance needs
  • Inform: Build accountability frameworks for making decisions on risk
  • Engage: Implement Active Governance by engaging key stakeholders
Guidebook for Champions
Phase 2 GRC Program Design

 Step 4
GRC Framework Model and Libraries

  • Framework: Building a GRC Capability Framework with key components such as governance, policy, processes, risk, controls, communications and awareness
  • Libraries: Establishing common GRC libraries with common terms for core elements such as business units, products, processes, assets, people
  • Federate: Balancing common and federated processes for risk identification, analysis and issue management

 Step 5
GRC Process Analysis and Solutioning with Apps

  • Process: Ranking and prioritizing GRC processes as use cases
  • Apps: Solutioning - deciding what can be automated with MetricStream Apps
  • Content: Enabling GRC Intelligence through regulatory and best-practice content feeds

 Step 6
GRC Technology Eco-system

  • Ecosystem: Defining the GRC Technology Eco-system, in the context of a global, virtual, mobile eco-system
  • Platform: Integrating IT and security systems for continuous controls monitoring
  • Integrate: Meeting GRC Challenges in the Hybrid Cloud environment and addressing special technical and application considerations for large scale deployments
Guidebook for Champions
Phase 3 GRC Program Implementation

 Step 7
GRC Support Team and Deployment Model

  • Team: Identifying GRC Program Team Structure, Roles and Responsibilities
  • Deploy: MetricStream Implementation method and Integrating GRC deployments in the System Development Life Cycle Onboard: Initiating new Projects and Onboarding new Stakeholders

 Step 8
GRC Multi-Year Roadmap

  • Plan: Developing a Multi-year Plan with the right gating factors and decision criteria
  • Roadmap: Developing a 12 month Action Plan - project dependencies, charters, critical milestones
  • Adapt: Meeting Delivery Challenges and ensuring an ongoing Architecture Review Process

 Step 9
GRC Communications, Change and Continuous Improvement

  • Share: Developing Communications and Change Management to ensure the right level of program visibility
  • Change: Preparing for Organizational Change and adapting to Changing Requirements
  • Improve: Continuous Improvement Program with MetricStream Special Interest Groups