Alyned Thinking

Why new thinking is needed and how we are putting our expertise to work.

GRC Maturity Levels

GRC Maturity Levels

As explained in the previous article, GRC typically is a practice of tying together governance, risk, and compliance activities in an integrated program supported by organization, processes, and tools. In some form or other, organisations of all shapes and sizes are already engaged in GRC activities. However, depending on their industry and overall size, they might have different stages of advancement.

In order to have a good foundation for further discussion, it is always helpful to identify one's own organisation's maturity level. Therefore, we shall attempt to classify and give examples for organisational attributes, processes and deployed tools. Descriptions are oriented along the familiar Capability Maturity Model levels.

Level 1 - Ad-Hoc

  • Organisation: No dedicated personnel or roles have been assigned. If GRC topics come up, either top management and/or general legal counsel will deal with them. In general, members of the organisation do not understand the need for GRC, nor have any understanding of the terminology.
  • Process: All GRC activities are performed entirely in an ad-hoc fashion and only if external triggers, such as government inquiries, are present.
  • Technology: None in use.
  • Example organisations: Small to medium companies in unregulated industries/markets.

Level 2 - Repeatable

  • Organisation: Usually no full time personnel, however roles and responsibilities might be assigned to specific people within the organisation (e.g. Compliance Officer). However, in many cases, these people also have other, sometimes conflicting, areas of responsibility.
  • Process: Certain use cases and common GRC processes are performed regularly, often due to external legal pressure (e.g. certain public reporting obligations).
  • Technology: The responsible employees might start to semi-automate certain aspects, such as re-using document and spreadsheet templates.
  • Example organisations: Small to medium companies operating in industries or markets which have legal regulations in certain topic areas (e.g. customer data privacy).

Level 3 - Defined

  • Organisation: Roles and responsibilities have been clearly assigned to dedicated resources with proven GRC skills. However, at this stage it often happens that the rest of the organisation adopts a "not my task" mentality and pushes all responsibility to the central GRC department.
  • Process: Core GRC processes are documented and regularly performed with clear consequences for non-compliance (e.g. risk assessment in projects, quarterly compliance reporting to the board, etc.).
  • Technology: The organisation has invested in point solutions for certain use cases or might have also projects running for intergrated GRC suites. However, in a lot of cases, these solutions have not yet delivered on the vendor value promise.
  • Example organisations: Publicly listed companies growing from former medium size to the beginnings of corporate enterprise.

Level 4 - Measured

  • Organisation: The previously only centralised team has achieved to establish GRC responsibilites in all major arms of the organisation (e.g. subsidiaries, business departments). However, with the growing size of dedicated GRC personnel, coordination among these teams becomes more and more time consuming. Decision making is typically done in committees. In addition to internal control, it is increasingly recognized that the sprawling extended organisational landscape of suppliers and partners is difficult to handle.
  • Processes: Major GRC processes are being measured for performance and sustainability, e.g. a risk register is meticulously maintained and mitigation actions tracked. Performance indicators are regularly reported to management but often lack true relevance and actionable insights.
  • Technology: Processes are modeled and executed in dedicated GRC software tools procured and integrated at great cost. There is usually also a continuous effort to customise the tools in order to bring them closer to what processes have been established in the past.
  • Example organisations: Large enterprises in heavily regulated industries (e.g. financial services).

Level 5 - Optimised

  • Organisation: GRC responsibility and accountability is fully recognised across all layers of the organisation. Every employee participates actively with intensity depending on their particular job function. External resources and business partners are integrated, where necessary.
  • Processes: GRC processes are constantly evaluated for effectiveness and efficiency. Continuous improvement approaches are regularly applied to tune activities to the shifting needs and priorities of the organisation.
  • Technology: After huge capital investments, the previously acquired and integrated software solutions are finally beginning to drive efficient process execution and allow management to gather meaningful data about their GRC state. In certain situations, organisations are beginning to recognise that software solutions might have been chosen based on inadequate requirements.
  • Example organisations: High performance organisations with strong experience in outsourcing and service-based enterprise architecture, as well as high degree of digitalisation in overall business processes.
Stefan Sulistyo
Author: Stefan Sulistyo
Co-Founder & Chief Customer Officer
google plus
About the author
Co-Founder & CCO of Alyne, 10+ year InfoSec & GRC veteran, first of his name, waiting for the singularity.