Hi Sri,

Below are my suggestions : 

1. The first question I would ask a customer if they are planning to implement GRC is , Do you have a strong CMDB? Reason is because Entities/Entity Types are the heart of GRC. If they have a good and healthy CMDB it will become very easy and useful to scope out their Entities/ET to track Controls and Risks throughout

2. I cannot stress enough on how important Entities and Entity Types are because they play a vital role. So ensure that is implemented and framed in the right way. Because Entities/ET will be used across Policy and Compliance, Risk and Audit management. 

3. Ensure the Integrations are pulling in latest data. For example. If they use UCF ensure it is the most updated one when you move to production . You can verify it from the common controls hub. 

4. Ensure to see if the relationships are maintained well. i.e Authority Docs to Citations , Citations to Policy Statements(CO) , Policy statements (CO) to Policies , Entity Type to Policy Statement (CO) etc. 

5. Ensure that the "Create Controls Automatically" checkbox is checked only if needed else it will keep creating controls automatically each time a Entity Type is associated to a Policy Statement. 

6. If your uploading policies in Draft state in a lower environment, before people start working on it and move it to different states its good to take a dump once a POC reviews it so you can import it into production without any issues in the draft state. 

7. Its good to know that its not always mandatory to assign a Entity type to a risk framework or to a policy. But an Entity type must be related to a Policy Statement/ Risk Statement so necessary risks and controls can be generated. Good Practice. 

8. Knowledge base workflow check - As policy publishes as a part of the workflow and as audit reporting publishes when "Publish" is clicked on the Generate report list, if you do not want an article to get published before review then ensure the knowedge workflow is customized and configured accordingly. 

These are some of the points to consider when you do an implementation. 

Hope it helps!

Cheers,

Priya

Regarding the original post, this is great way to get some background and get into the tool before implementing it. But my best advice is to engage with a SN partner who are really focused on this area. The topic is so broad, and so much collateral and there is no silver bullet. GRC implementation is a real journey best delivered in structured phases.

The checklist from Shiva is really interesting; and the main things I would underline from Priya is the 'scoping' aspect. Think about this. However, do not be constrained by CMDB! Although a good CMDB will really allow SN to play to its strengths, and every org should aspire to having such a powerful golden source. Sometimes it is not always meaningful, and other reference data is more appropriate. Think location, department, company, etc... these areas still allow you to put the Entities front and centre. And if you do not know yet, start with 1 entity = primary company and start to break it down from there... 

There is a reason the training courses exist, and each implementation has its own specifics. The reason why we have things like a scoping document to understand each customer and their current priorities and level of maturity. Before I tell you how to implement GRC, I need you to tell me a lot of requisite information - and the conversation is tailored from there... 🙂