Getting stakeholder agreement on a coordinated approach to governance, risk, and compliance (GRC) management is no easy task. Budget, buy-in, departmental silos, and existing processes and tools (or lack thereof) can all stand in the way of pursuing GRC program maturity.
Yet, apart from these challenges, many organizations fail to consider the return on investment from business benefits of an integrated, technology-enabled GRC program. In this series, we’ll explore some of the most common pitfalls risk and compliance leaders fall into when discussing GRC initiatives or improvements.
GRC Myths About Program Development & Maturity
1. We can get by without a GRC program.
This assumption places organizations in a precarious situation. Every business is managing governance, risk, and compliance at some level, whether or not they have a formal program. Implementing an enterprise-wide GRC framework is a necessity in today’s operating environment and needs to go beyond a “tick-the-box” approach to avoiding major risk events or maintaining compliance.
The events of 2020 have been a case in point, particularly for institutions in regulated industries. Between a pandemic outbreak, economic instability, and a pivot to remote working, many risk and compliance teams found themselves scrambling. There were business continuity plans to update, risk management and mitigation strategies to reassess, policies to create and revise, regulatory changes to review.
Without a preexisting, centralized system for risk and compliance management, many institutions struggled to adapt to new operational risks and business challenges. Perhaps the biggest argument in favor of a GRC program is that it serves as a success enabler, equipping organizations to navigate uncertainty, pursue growth, and identify risks worth taking and risks to avoid — key capabilities in any circumstances, but crucial during times of change.
2. Manual GRC management is good enough.
Manual GRC programs — often managed using spreadsheets, shared files and drives, and other disconnected methods — may get the job done for a time. But it’s likely that employees are spending dozens, if not hundreds, of combined hours on individual assessments, reports, and reviews.
This level of effort is not only burdensome and unsustainable, but also doesn’t deliver timely data access and analysis. With important information siloed across departments, data duplication and inconsistencies are a given, and extracting any trends or insights is next to impossible. This prevents risk and compliance managers from providing your executive team or board with the kind of oversight and aggregation they need to make informed decisions.
Starting on the path to digital transformation and GRC program automation can make a measurable difference. Research from the finance sector indicates that organizations achieve greater efficiency when they prioritize digital initiatives that enable “a big-picture look at risk management’s overall organization, governance, and performance management.” Implementing improvements such as enhanced monitoring and automated reporting can increase the productivity of specific risk management activities by 40% or more.
3. Each department can manage its own GRC activities.
This approach may work up to a point, but eventually siloed management across areas such as ERM, compliance, business continuity, and IT security will produce duplicate or inaccurate data, complicate reporting, and may even conceal potential risks.
Taking an enterprise-wide view of GRC — often achieved through technology solutions that provide cross-functional data integration — enables business units to share a common framework for defining and assessing risk and highlights critical dependencies across your organization. In turn, this improves executive oversight and eliminates redundant administrative activities, reducing the time, effort, and resources required for GRC management.
4. We’ve completed our GRC initiatives.
GRC isn’t a “set it and forget it” project, but a continual process. Effective GRC management must be an ongoing, cross-functional effort that evolves to accommodate organizational changes and shifts in the risk and compliance landscape.
Organizations that realize the most value from their GRC program often opt for a phased journey to GRC maturity. After establishing processes and technology infrastructure in one or two functional areas, you can start defining the scope for each additional business unit in your GRC plan, establish points of integration, define terms of cross-functional collaboration, and allocate resources for future program expansion.
GRC Myths About Tools & Technology
5. All GRC platforms are equal.
OCEG, a nonprofit think tank, popularized the term GRC and defines the discipline as “the integrated collection of capabilities that enable an organization to reliably achieve objectives [governance], address uncertainty [risk management] and act with integrity [compliance].”
However, few management platforms offer meaningful integration between functions, which is a key aspect of enabling enterprise-wide oversight, generating useable data, and empowering strategic decisions around governance, risk, and compliance.
Vendors that claim to have product integration often either piece together in-house and third-party solutions that weren’t designed to work together, or don’t have a flexible data architecture that allows users to configure workflows, task management, and reporting to fit their needs.
True integration facilitates communication and shared data between GRC disciplines, equipping teams and individuals to get the data they need to the right people at the right time. This improves efficiency across the enterprise and facilitates alignment to your organization’s objectives through a shared framework for defining, measuring, and managing risk.
6. It takes too long to implement GRC solutions.
Organizations’ experience implementing GRC technology largely depends on the type of solution they choose. On-premise software or piecemeal products tend to require extended installation and implementation processes.
By contrast, software-as-a-service (SaaS) solutions can accelerate time to value with flexible options that meet immediate management needs but also offer a path to GRC maturity. Look for a scalable system that enables quick wins in a couple of key areas — such as third-party risk, business continuity, or policy management — but also facilitates expansion as capacity or resources allow.
This approach allows institutions to focus on building critical GRC management capabilities at a pace and scope that matches their needs, then leverage initial improvements to work toward program maturity and expand functionality. Using this phased strategy frequently enables organizations to complete implementation in a matter of weeks, capturing significant value from their GRC program within a few months.
As organizations optimize and digitize their management processes, they begin to achieve greater efficiency, agility, and strategic alignment. But it takes a decision to start the GRC maturity journey to get there, and many risk and compliance leaders find that investing in an integrated GRC solution is the most effective way to take the first step and reach their destination faster.
7. GRC solutions are hard to use.
Finding a GRC system that meets your organization’s needs involves due diligence. Making sure you have a clear understanding of each solution’s capabilities, limitations, and implementation and maintenance requirements will be key to finding a good fit. A “blank slate” solution that requires extensive configuration or coding, versus a GRC platform with built-in best practices and workflows, will differ dramatically in ease of use and user experience.
While every organization will have different criteria for specific GRC management categories, it’s also important to evaluate the anatomy of the platform as a whole and aspects that impact usability.
When comparing GRC solutions, look for user-friendly functionality that contributes to easier onboarding and program setup, such as:
- Integration between products
- Configuration options to coordinate with current or desired processes
- Built-in content such as risk and control libraries, risk assessment questions, regulation summaries, etc.
- Pre-built workflows and guided processes
- Dashboarding; ability to monitor GRC activities
- Ability to generate reports
- Training resources
GRC Myths About Cost & ROI
8. GRC is a necessary inconvenience.
Many organizations have traditionally approached GRC as a reactive process, scrambling to respond when there’s a risk event, audit finding, regulatory change, business disruption, or other incident. From this perspective, institutions — and the individuals responsible for day-to-day risk and compliance management tasks — may see GRC as an obligatory nuisance that takes up valuable time and resources.
In reality, GRC doesn’t have to be a drain on your organization’s staff and budget. Supported by the right processes and technology, a well-executed GRC program is an investment that informs business strategy and drives growth and performance improvements. To overcome negative perceptions of GRC, those advocating for program enhancements may need to educate stakeholders about the value of a proactive, data-driven approach to GRC management.
9. We don’t have the budget or buy-in to implement a formal GRC program or invest in GRC technology.
When considering the costs versus benefits of GRC, many organizations assume that launching a formal program or technology solution will require a significant investment, both financially and in terms of time and effort. Providers that offer flexible software-as-a-service (SaaS) products and consulting services can help organizations at any GRC maturity level complete a successful implementation within budget through phased rollouts and scalable solutions.
While focusing on the upfront costs, organizations often fail to consider the gains that may not only justify the investment but also accelerate time to value for their GRC program, such as:
- Increased employee productivity
- Cost and time savings from streamlining management processes
- Improved ability to allocate resources and reduce losses
- Enhanced data quality
- Reduced gaps in risk and compliance
- Increased agility in decision-making and identifying risks and opportunities
Quantifying these advantages influences the cost/benefit analysis and will give a more accurate picture of the ROI organizations can expect to realize from investing in GRC.
Another argument in favor of starting the journey to GRC maturity is its direct impact on operating expenses. Research from McKinsey & Company indicates that digitizing the risk management function through capabilities such as process automation, workflow tools, and monitoring and analytics can reduce the costs of risk activities by 20 to 30%.
In short, comparing your current risk and compliance management abilities with the outcomes of a more mature and streamlined GRC program may reveal some surprising opportunities and help your organization develop a plan for guiding investments and improvements.
10. The effort required for consolidating our GRC processes and data in a single management system isn’t worth it.
Managing GRC through a single technology platform frequently reduces both the number of tools and the number of employees appointed to risk and compliance. Instead of using multiple pieces of software for various management tasks or different risk verticals, organizations get the most value out of a flexible system that can meet their immediate GRC needs and grow with them in the long-term.
Plus, for institutions that choose a comprehensive solution, risk managers and other GRC practitioners can access tools for task management and notifications, data and documentation, assessment, and reporting in one location — significantly reducing manual labor.
The initial outlay of work may seem daunting, but doesn’t have to be; look for vendors that offer implementation and consulting services to help you navigate the transition to a new system.
In order to start seeing the value of GRC, organizations need to shift their perspective from viewing risk and compliance activities as a burden or regulatory checkbox to recognizing its potential to optimize business strategy and performance and support informed decision-making.
Too often, organizations feel stuck in the status quo of manual, disconnected GRC management or legacy solutions. These options seldom meet evolving internal and regulatory expectations for risk identification, assessment, mitigation, and reporting across the enterprise.
Learn how integrated GRC solutions can help: See Quantivate’s GRC platform in action.
About Quantivate: Quantivate is a provider of web-based governance, risk, and compliance (GRC) technology and service solutions to organizations both large and small nationwide. Founded in 2005 with the release of its Business Continuity Software, the company has grown to feature a full suite of solutions for GRC management, including Business Continuity, Vendor Management, Enterprise Risk Management, IT Risk Management, Internal Audit, Compliance Management, Complaint Management, and Policy & Document Management.