Now is the Time: Taking the GRC Quantum Leap
A long due shift to catapult governance, risk and compliance management (GRC) into the digital era is around the corner. This is a complex area laden with high pressure of regulatory requirements but often with limited top management attention. Everything now points in the direction that GRC should be next in line for a much-needed quantum leap.
Businesses have moved from keeping manual books to ERP systems, from employment contracts locked away in a drawer to planning annual reviews in Excel, to letting an HR software system do all of that and more. Goodbye to manual handling of CVs, contracts, career planning, and personal development. However, this is not the case in governance, risk, and compliance (GRC).
GRC processes, data, and procedures are still at a stage where HR used to be. Over and above the question of productivity and costs, GRC management by Excel is a huge risk in itself. Even with competent and dedicated staff, it is very fragile and dependent on specific individuals and their individual ways of working. Using Excel for the management of risk and compliance management can be difficult and simply inefficient. The realization that GRC management needs to transition to using software systems has emerged slowly over time. For those standing on the sidelines watching this awakening within the GRC community, the current stage may seem like a big bang.
Managing all HR needs in Excel today would be unthinkable. Working with GRC, there is simply too much to deal with in terms of actual risk management and regulatory requirements, which require constant updating and competence development. It is too complex to manage without a system. The question now is not if one should use a GRC software system, but rather what to choose.
Joel Nisses, Director Reg & Tech Solutions
The realization that GRC management needs to transition to using software systems has been emerging slowly for some time. For those standing on the sidelines watching this “awakening” within the GRC community, the current stage may seem like a big bang.
Investing in risk management is not viewed with the same level of excitement as other business investments. Without a budget, nothing will happen. Logically, as long as all is going well in a company, the perception is that there are no risks. The reasoning is comparable to that of the secret police, who always get the question, “Why do you need a budget?” The relentless preventive work is conducted off-radar, “invisible” and therefore is typically not valued. GRC is at first glance not about operating on the plus-side; rather, the contrary. The benefit of this work is not always measured in monetary returns; it should be measured in terms of the saved costs of avoided damage or in value that can be relocated thanks to better informed decision making.
What do we see in this space, which is now gradually populated with GRC systems?
There are a large number of GRC systems with various features available on the market today. A share of these are within Enterprise Risk Management (ERM) serving primarily the energy or retail sector. But there are also systems catering to the financial sector. Meanwhile, additional regulatory requirements are on the horizon, such as the Digital Operational Resilience Act (DORA). It is high time to move on from GRC management by Excel to the next and more resilient stage, and it would be a safe bet to expect GRC systems ’trending’ in the near future.
Understanding the challenges of GRC management
According to Nisses, the reasons behind the relatively slow advances for organizations in the financial sector to use GRC systems may be explained by a low level of maturity to use software solutions in the GRC community, and the lack of recognition and understanding of GRC-management challenges on senior management levels.
The need is recognized, but GRC professionals have not been ready in terms of understanding and setting specifications and adequate requirements on emerging software solutions, nor has management sufficiently promoted digitalization and system support within the increasingly important sphere of GRC. This might be compared with the uphill battle in anti-money laundering, and the implementation of KYC and transaction monitoring systems. This transition will require a new breed of professionals, which can be called legal technologists; people with a solid grasp of both regulatory requirements and the necessary know-how to build GRC-capabilities and technology platforms. Progressively, as the market reaches a level of common understanding that GRC is too complex and critical to business to be left to Excel spreadsheets, a standard for GRC software will be established.
Related to the above discussion is the current attention to the rising cost of compliance, which is currently top of mind and risk management is increasingly recognized as a crucial factor for building a sustainable and resilient business. So, what is keeping the market from moving forward?
Recommendations in order to take the GRC quantum leap
- Take a strategic approach to implementing a GRC system by looking for a scalable solution that can be connected to other systems.
- Avoid the temptation to try and achieve perfection at once; focus on what good looks like and work towards that goal.
- Ensure that the sponsor of the GRC system is a member of the organization’s management team to ensure its success.
- Simplify complex GRC concepts and align them with the organization’s overall goals to gain buy-in from management and other stakeholders.
- Invest in systems that help to reduce risk and ensure that controls are in place, not just in marketing automation and transaction monitoring.
For more information, please contact: