Tinkering The pragmatic Way: Revisited

I got into a nice discussion with some community members on my tinkering blog where I advocated to take a pragmatic approach to governance, risk and compliance procedures (GRC). Apart from the question if the word "tinkering" is appropriate for this serious topic (☺), there was a general consensus that implementing GRC should not become a new holy grail. Of course, the discussion triggered a few additional observations.

Information Security

Although I used fraud detection as an example to explain my thoughts, it occurred to me that information security aspects should even be a more integral aspect of GRC. Not only as a technical way of implementing but also as a separate angle to do business without losing unnecessary money. More and more our company information is an asset and not only a mere byproduct of our operation. In certain verticals the information on our customers can become of more value than the actual order value sold to them to-date. Analysts like Bruce Richardson of AMR Research have acknowledged this by predicting that since the key part of GRC appears to be Security, "GRC becomes GRCS".

The 180 degree rule

Recall my rules when implementing GRC: If it does not improve or even hampers the output of a process, the procedure is not acceptable. And in general: Keep a no-cost attitude in mind.

If we now throw information security into the equation, we might be able to turn the cost thinking around into revenue thinking.

An example: If we have to monitor the electronic way we communicate with our customers, make sure we keep to their privacy, and that they get only access to what they are entitled too, we could implement this in the negative way. Any misuse or deviation from the standard is reported. Why not turn it around and use the same implementation to also generate positive signals like informing tele-sales that this customer logged in four times, browsed for an hour, but did not purchase anything? Contact the customer, offer assistance, or a special discount to make it happen.


The resulting keyword is integration. If we take an integral approach to GRS(S), balancing need and the impact on our primary business processes, we will discover that it is all about doing sensible business. If we then apply our rules on 80/20, no-cost or even up-revenue, our implementation will be per definition an integrated one that supports business process improvement.
Again the question: Utopia? No, it is just smart "welding" together the technical capabilities we have in such a way that the business process is optimized.

As always: Comments welcomed!

This blog is part of a series around tinkering:

Contact Hans van Nes at Results2Match.com.

Back to top