Organizations typically pursue the implementation of a Governance, Risk, and Compliance (GRC) program through a circular series of activities:
- Embracing standards and defining policies
- Running tests and validations against those policies
- Uncovering and classifying 'issues,' prioritizing and fixing some of those issues based on risk/impact guesses
- Doing it all again in hopes that the state of compliance and risk level stayed at least as good as it was the last time around
This method produces results demonstrating a point-in-time state, but it does little to measure the real risk to the business. If the organization is mature in its implementation, executives may be able to roll some of their findings into the next iteration in order to improve results. If the firm is really on top of its game, executives may be able to analyze multiple iterations to identify trends or patterns, which can be used to further adjust future program activities.Even with relevant trends and patterns emerging, however, those results are based on limited, isolated data and can only be measured against previous results; the analysis does little more than prove that the organization is doing better, or worse, than in the previous period.