GRC Tuesdays: In addition to being good movie material, spacecrafts are also great analogies to perfect GRC systems!
Be it the European Rosetta spacecraft and its Philae lander module, the Japanese Ayabusa with MINERVA onboard or NASA’s famous Apollo program and Lunar Module, they all have one thing in common – in addition to amazing technology and great movie topics that is – to me they are perfect examples of GRC systems.
When writing his novel From the Earth to the Moon, I am not sure Jules Verne had in mind all the constraints that Space agencies would have to face, including the unknown factors that are discovered during the trip. But one thing is sure: these technological gems are designed to calculate risks and make the most out of opportunities. And isn’t that what Governance, Risk and Compliance is ultimately about: helping the organization – here a space agency – achieve its objective – land on a moving target far, far away?
If so, then I think you will agree with me that space agencies do this with amazing results given the difficulty of the task.
1. Risk Management
Before launching any project, every organization analyses its chances of success. I am not a space engineer but I’m pretty sure they do it as well. Then, during the life of the project – or the interstellar trip, risks have to be revised: are there new contextual events that need to be taken into account, should the organization review its course, and so on. Risk identification and assessment are of course a given in any GRC system, but continuous monitoring of early warning indicators is a key functionality that is often overlooked and not used sufficiently in my experience. Without these, how can an organization keep an eye on emerging threats and make sure that they don’t become a roadblock to a successful mission?
2. Controls Management (and Compliance)
Can you imagine launching a spacecraft and not monitoring continuously its trajectory and its compliance with the defined route? The same applies to any business.
I don’t know any company that doesn’t ensure its processes are respected. Not only because it’s a regulatory requirement for some of them like Financial Reporting, but more simply because the long-term sustainability of the company relies on it. If the quality process is not respected for instance, there is a high likelihood that defective products will be put on the shelf. Hence meaning product recalls, loss of customer trust, decline in revenue, and so on and so forth.
Due to the workload associated, many companies do testing manually and based on a sample. What if, instead, they could move to full monitoring of transactions for instance? Surely this would increase confidence and, provided it’s done automatically, running costs wouldn’t be increased. On the contrary.
I recall a visit to Ariane’s control room many years ago, and what stroke me was that everyone had a defined seat and very precise assigned role.
Once again, the very same applies in any GRC process: roles have to be defined – otherwise how can one check the authorities, and policies of course have been adequately defined and rolled out?
4. Last but certainly not least, Security
Security topics are getting a much bigger focus recently. Partially due to Data Protection regulations of course, but also because there is a realization that sound security is intrinsic to the good functioning of the company. Going back to my spacecraft analogy: do you think they would let anyone access the commands and do what they want with them?
I will admit it, I am fascinated by the ingenuity deployed by the teams that are capable of such exploits. Nevertheless, if this has made you smile and think further on the parallel between the 2 systems, I would have achieved the task I had set myself today.
What about you, are there other analogies that you have used in the past to illustrate, with a concrete example, an end-to-end GRC system?
I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard