Segregate role cleanup from user cleanup:
�Roles must not contain conflicts.
�Business managers can then take unneeded access away from particular
roles or specify an alternative if the access must be kept, such as addi-
tional supervision.
Sometimes changing a business process or responsibilities is much easier
than trying to build roles around the process.
Eliminate risks and use mitigation for exceptions:
�Investigate and implement controls to eliminate the risk.
�Ensure users only have the access they need.
�When you need to make exceptions, identify alternative controls, and
decide who will monitor them.
Getting Your GRC Project Going and Keeping It Going ...........................
Begin your GRC efforts by having some business workshops to launch the
project. Here are some things to do at those workshops:
�Identify risks to be monitored.
�Discuss industry-specific risks.
�Look at which areas of the business currently have role conflicts that
must be resolved (hint: IT and risk management professionals may
already know what these are and can point them out).
�Start thinking about mitigating controls.
Like any effort, the focus on GRC can fizzle if not nurtured. Have a quarterly
business meeting to keep the GRC effort going:
�After initial implementations, quarterly meetings help reinforce
GRC efforts.
�Provides assurance new risks are recognized as changes occur.
�Risk identification and recognition becomes routine.
Chapter 16: Top Ten GRC Strategies 303
