If there’s one thing that always guides me staying true to my north in performing any tasks related to Governance, Risk Management, Compliance (GRC) and Cybersecurity for the past 10 years, it would be diligently asking “WHY”. Simple but powerful. Common sense yet effective.
In many cases, I have encountered that “WHY” is the right tool to entangle complexity, solving the root causes, and simplify the matters at hand. It may sound cliche, because all formal- and self-taught GRC professionals would know about the technique, but unfortunately in many cases not using it to its potential.
Let me give two examples:
- When dealing with multiple requirements (from regulators, clients, auditors, etc.), asking “WHY” until the core reveals that most of them cover the same topics but only with different terminologies and angles of view. By understanding this, organisations can combine many of these requirements into one integrated framework (breaking the silos). Simplifying the requirements, #SimplifyGRC
- The “WHY” can also be used to rationalise many organisations' control frameworks, because maintaining multiple control frameworks costs a lot of resources. In many cases it even leads to stress and a high level of burn-out. By rationalising them (diligently asking “WHY” we need to keep A or B), focusing on the key controls and embedding most (if not all) other controls in the processes and product design, it would push for a more effective GRC regime. Simplifying control frameworks, #SimplifyGRC
As simple it may sound, in the world that is getting more complex every single day, the “WHY” is definitely what we need to diligently use in daily lives to get things simpler...more effective...and more secure.