A Jedi uses the Force for knowledge and defense, never for attack. – Yoda
To be a true GRC Yoda, an organization must enact a principled performance based program using knowledge as a defense. However, any good Star Wars fan knows that learning how to use The Force is more important than The Force itself. Yoda, the knowledge-based expert, guided his Padawans to defending the galaxy through knowledge. In the same way, an organization’s CIO can protect a company using the GRC Principled Performance approach.
What is Principled Performance?
Principled performance is defined as “reliable achievement of objectives while addressing uncertainty and acting with integrity.” This means that for an organization to succeed, it must find ways of consistently evaluating unknowns. These evaluations must also be supported and documented to be trustworthy. As an organization’s Yoda, the CIO’s goal is to look to the future and make sure that unknowns are appropriately considered.
Why Principled Performance?
In a webinar on GRC Fundamentals, OCEG Chair, Scott Mitchell discusses how to incorporate GRC into the standards of principled performance. As transparency gains greater social traction, customers seek to know not just what a business does but how it follows through. Customers want proof that a business not only acts ethically but that a business has reviewed all possible interrelated risks that could cause harm.
The first step involves defining objectives and understanding boundaries. Audit focused programs often look at risk-based program management revolving around external standards such as industry standards or regulatory requirements. However, a company’s internal standards, such as policies and processes, are even more important. The integrity portion of the Principled Performance approach means more than simply making promises, it means making sure that the whole organization keeps promises. CIOs must ensure all that their Padawans stay on the Light path rather than veering to the Dark Side due to audit result fears or company policy ignorance.
In the past, the lack of sharing within a company created silos. Carole Switzer of OCEG noted that the GRC Capability Model can act as an all connecting Force for compliance. One missed risk in a single siloed area can lead to an organizational wide butterfly effect. By bringing together all areas using the same language, these wings can be quelled. Being Yoda means ensuring that all members of the organization from Padawan employees to Jedi Council Senior Management are connected through a shared sense of responsibility.
Why Prove Principled Performance?
Proof requires knowledge and data. The reliability prong of the Principled Performance definition requires having evidence coming from standardized best practices. This is where having a GRC tool can help most. ZenGRC allows users to review evidence and create reports that identify gaps or overlaps in programs. Using a GRC tool can make a CIO better than Yoda when it comes to creating a continuously successful program with consistent outcomes.
If you’re a CIO and you’re reading this right now, don’t worry; CIOs are Yoda in many ways. Yoda established internal boundaries much the way CIOs establish internal boundaries. Yoda had to teach and reinforce the rules of The Force much the way that CIOs need to teach and reinforce information security policies and processes. However, Yoda had only his memory to ensure ongoing compliance with the ways of the Jedi. CIOs can use software like ZenGRC to establish documentation to ensure ongoing compliance. Using these tools, CIOs can convince their Senior Management, or their own Jedi Council, of their methods. If CIOs want to be better than Yoda, they need to use a GRC software to help incorporate Principled Performance strategies.