GRC Football By Walt Carter and Reid Eastburn If you are familiar with American Football, Governance, Risk Management, and Compliance can be explained very simply. After many years of working with organizations in information risk management, we have found that explaining enterprise information governance, risk management and compliance to the boards, executives, and line managers works best when using an analogy to a football team with its offense, defense and special teams units. Have you ever wondered why college and professional football teams have so many players – 50 or more – when each team can have only 11 players on the field at any given time? The answer is that the football team has teams within the “big team” just like an enterprise. The team is divided into an offensive unit, a defensive unit, and several special teams units. In order for the big team to be successful, all three units within the team have to perform well when on the field and they all have to work in alignment with each other under one head coach ‐‐ even though they don’t all participate on the field of play at the same time. Offense is the place for us to think governance. Think of your governance plan as your offensive strategy and playbook. This is where the team lays out the approach to scoring points in the game (pass offense, run offense, a balanced attack, etc.) and defines the specific roles and responsibilities of the offense’s players. The playbook has pictures that clearly show the actions and direction of the individuals on the field for each play. A good governance model provides clear direction, focuses on gaining and keeping forward momentum and has definite measures of success. The offensive playbook must be flexible enough to accommodate and adjust for the specific game day conditions but not so loosely defined that the players are confused or forced to “wing it.” Winging it is what you see in sand lots or playgrounds. Collegiate and professional football is serious business. Your organization is probably a serious business too, so we don’t want to wing it – there is too much risk. Think of your risk management plan as your defensive strategy. This is how your organization protects your information, your people and your assets. Your defensive strategy lays out your operating philosophy, your defensive posture and again defines roles and area responsibilities for the individuals tasked with executing against specific and possible risks on the field of play. By identifying and quantifying your enterprise information risk situation, your defensive unit can effectively tackle the opposing team for minimal gains. A really good defensive coordinator anticipates the opposing offense so well that most plays are broken up behind the GRC Football By Walt Carter and Reid Eastburn line of scrimmage for a loss. On game day, we minimize our risks through the use of context specific controls aligned to recognized industry standards and deployed in layers across the networks, people, and technology used to support our business. Third, a highly visible unit in football is the special teams unit. There is usually a group that just does kickoffs. A different group receives kickoffs. Another group punts the ball away. Yet another receives punts. You have yet another special team which lines up for field goals and extra points. A different unit attempts to block field goals and extra points. Many times in the course of a season, a well executed play by one of the team’s special teams units will be credited for a major shift in the momentum of a game or even a victory. In your enterprise, think of your compliance team the same way. Many of the players are typically on offense or defense but are needed and used periodically for the special team functions. These would be your IT network administrators, system administrators, database analysts, controllers, financial analysts, etc. This group will also include your Business Intelligence group and your business process and data owners. Within this team are some other highly skilled specialists, like your internal auditors or information security managers. Like a good kicker on a football team, the internal auditor can mean the difference between a winning season and losing season. The most valuable auditors, like the best kickers, are consistent. They can be counted on to deliver. Erratic kickers, even those that can kick a field goal from 50 and 60 yards out, will lose their jobs to a kicker that is consistent in performance throughout the season. The auditors and security managers that are most consistent in their approach prove to be the most valuable to the big team. Those that wing it, or try to go with their gut or intuition rather than measuring effectiveness of controls against defined, context specific internal standards (that are bounded by recognized industry or regulatory standards) are not consistent enough in their approach to enable the team to win on game day, whether the game day event is a scrimmage against the external auditors or a real game against committed hackers attempting to do your company harm. Governance, Risk and Compliance can sometimes seem overly complex. The analogy with American Football only holds within certain obvious limits, but to fans of the game the analogy can make difficult concepts come together quickly in a straightforward way. This is important because we’ve found that helping people understand the importance of governance, risk management, and compliance to the long‐term health of the organization is one of the best values we provide. Our analogy has helped us to get people engaged and, once engaged, helps us help them to be creative with their GRC game plan so that they make the best use of the people, processes, and technology they’ve already invested in to put points on the board, stuff the other team, and make the ref’s job a whole lot easier. With that said, following the coin toss, please stand for the singing of our national anthem…and then let’s play ball! GRC Football By Walt Carter and Reid Eastburn About the Authors: Walt Carter started his Risk Management and Governance career as a technical officer working on nuclear weapon systems for the US Air Force over 25 years ago. As a Senior IT Executive and Consultant working with Fortune 500 companies in the areas of Governance, Risk and Compliance for the last 18 years, Walt is a recognized expert in the field and currently serves as Principal at RM Battle, LLC – a leading firm specializing in foundational information risk management practices. He earned his M.S. in Public and Private Administration from Central Michigan University. Walt played offensive line for four years at Guilford College while earning his undergraduate degree in Physics. Reid Eastburn is a highly regarded consultant in the Governance, Risk and Compliance arena with credentials that include service at Accenture, IBM, and Arsenal Security Group. Reid is a Certified Information Systems Auditor (CISA), a Holistic Information Security Practitioner (HISP) and currently serves as the Vice President for Governance of the Atlanta chapter of ISACA, a worldwide organization for IT governance, control, and security and assurance professionals. He earned both his B.S. in Management and M.S. in Economics from the Georgia Institute of Technology, where he was also on the 1990 National Championship Football team.