Published on April 02, 2024
Throwing away the quantities for your ingredients may result in a horrible mess - The starts of a GRC Story
Imagine a cookie recipe without quantities that’s only focused on ingredients.
What if someone were to tell you to pull out a mixing bowl and throw in a whole dozen eggs instead of one egg. And then throw in the whole bag of flour instead of just a half cup. Then they’d tell you to pour the entire bottle of vanilla into the bowl instead of one teaspoon. And that you must put the entire pound of butter in, instead of a half cup.
You get the picture. Ludicrous to imagine there’s be any such advice, and any such recipe would get thrown away because it’s so obnoxious & unrealistic!
The unfortunately reality is - This is how many of our GRC programs are stood up today.
We’re dumping in *all* the ingredients, without any appropriation.
We take the entirety of the frameworks and regulations into our companies – then try to satisfy vague, nebulous and generic language. Ludicrous indeed!
This results in organizational-wide confusion, lack of ownership, inability to gather evidence, failed audits, and ineffective risk measurement. Pandemonium.
It is possible to appropriate GRC programs – Let’s understand the components to do this.
Your company operations are influenced by a combination of frameworks & regulations. These are outside of your company. These are not what the auditors show up to audit because they’re not looking for a regurgitation of what’s already publicly available.
Consider this…
Frameworks are written to intentionally be broadly applicable. It doesn’t matter if your company is… big or small, in this industry or that one, super mature or not at all, using this technology stack opposed to that one, leverage one or a lot of third parties, etc!
The language used in frameworks is by design vague, nebulous, theoretical and ethereal. This language is intended to be tailored to your company.
This means a translation has to happen to make the framework controls apply to you!
You must appropriate frameworks to match your own company and never write the controls verbatim into your own operations … unless … you can come up with evidence that the verbatim version actually occurs in your operations!
As far as regulations, this is the law. There’s still a way to satisfy the requirements of the regulation(s) that governs your operations without creating excess unnecessary noise!
Some regulation statements won’t ever apply to you. Example, you’re a biotech and made meds governed by the FDA. You will take the FDA requirement that says “if you make goat milk ice cream, you have to use goat milk” (21 CFR 135.115), acknowledge the requirement, and detail how this requirement doesn’t apply to you.
If it doesn’t apply to you, explain why, and don’t track it!
When combining frameworks and regulations, the result is typically a very large dataset. What should come next is not a technology solution, but rather some collaborative decision makers gathering to contribute to company-specific controls.
Want our recommendation on how to do this best? Contact us or hang out for next week’s article