I was at the Twin Cities Information Risk Round Table meeting this morning in St. Paul, MN. Rick Ensenbach was there talking bout OGEC Governance, Risk & Compliance. I'm not going to get into a discussion about the philosophy of GRC, but there were a couple thing that stuck out in the discussion. Rick at one point mentioned that this is such a broad, business focused philosophy that it needs to be driven from the top down. The other thing that jumped up at me was that there is heavy emphasis on collaboration and communication.
Well my organization doesn't do collaboration and communication. We create kingdoms and defend them heavily and we don't like to take the risk that other people will get the glory for even a portion of our work. We also have a top that will not mandate anything. So if we don't have collaboration and we don't have top-down management, then is OGEC GRC a poor choice for my organization? Furthermore, is there any Risk Management framework that can operate without support of C-Level executives?