�In 2004, companies went through the sprint phase. Risks were identified
and managed with appropriate controls. Roles and user access were
cleaned up.
�In 2005, the marathon phase began. Companies focused on staying clean
and lowering the costs of compliance.
�In 2006 and beyond, companies started to focus on automation to bring
costs down to the lowest level possible.
Another, no doubt oversimplified, way of putting it is that companies rushed
to get clean regardless of cost, and then sought to stay clean as cheaply as
possible.
Stages of GRC adoption .......................................................................
Observers and analysts watching the progression of GRC adoption have iden-
tified four stages of growth and maturity that companies move through as
they improve their GRC processes: reacting, anticipating, collaborating, and
orchestrating. As shown in Figure 1-5, the first step is reacting, which is the
rush to get things done.
The second step, where most companies are now, involves anticipatingneeds
and increasing automation. The third step involves higher levels of collabora-
tionin which GRC awareness is propagated throughout an organization. In
the fourth phase of GRC adoption, a company seeks to better orchestrateand
optimize its activities based on greater visibility.
Panic
- Get it done!
- Operate in isolation
- Marshal resources as
necessary from
wherever
Acceptance
- Efficiency
- Automation
- See connections
between multiple
programs
- Plan future approach
Coordination
- Identify risks
- Assess exposure
- Prioritizing actions
- Reuse technology
components for
multiple purposes
Manage in unison
- Set enterprise
objectives
- Coordinate analysis
and action
- Complete visibility to
risk, exposure,
Step 1:Reacting performance
Step 2:
Anticipating
Step 3 :
Collaborating
Step 4:
Where organizations Orchestrating
are today
Tactical
Maturity varies by industry / geography
Strategic
Figure 1-5:
Stages
of GRC
adoption
defined
by AMR
Research.
34 Part I: Governance, Risk, and Compliance Demystified
