Principle five: Integrate governance, risk and compliance experts with product teams early and often
At the beginning of Part II, we explored how many organizations find it difficult to manage complex and interdependent demands that cannot be resolved by simply choosing one solution over another. When it comes to governance, risk and compliance (GRC) standards, most organizations struggle to find the right balance between speed and control.
Obviously, both speed and control are important. But when push comes to shove, most organizations play it safe. This means they often choose rigorous control and review processes as a risk mitigation strategy. This makes sense on the surface. For most organizations, there is often a continuous array of known and unknown risks related to information security, data privacy, technical architecture and internal auditing for example. While it's important to ensure appropriate control is in place, it’s more important to be mindful that lengthy and complex GRC controls may introduce another type of risk, known as the cost of delay.
In many cases, long lead times are the result of a deeply siloed and niche-based approach to risk and compliance. Product teams, for example, can often find themselves at the mercy of several subject matter experts who enforce stringent requirements that lack context and fail to weigh the actual risks at hand. This siloed approach also tends to further enforce hierarchy and limit autonomy, which only further restricts the flow of value and learning.
While many organizations tend to believe their GRC processes and standards are carved in stone, the reality is that many highly regulated companies have been able to strike the right balance between speed and control by integrating GRC as part of an end to end process.