The concept of Agile GRC has gained currency in cybersecurity and corporate governance circles over the last couple years. In this two-part blog series, we’ll unpack the meaning of Agile GRC, examine the attributes that Agile GRC technologies tend to have in common, and provide a reference point for potential buyers to take into consideration. See Part I here.
Once you’ve got a firm grasp on what Agile GRC is, a natural follow up question is what’s behind its rise?
In short, frustration with legacy approaches to GRC.
Thanks to a wide array of factors, many of the pre-Agile GRC market leading companies have long been sowing the seeds of their own disruption. These legacy market leaders are widely perceived as rigid, unintuitive, difficult to use, and a drag on innovation—the very antithesis of the Agile GRC spirit.
Further, the current market leaders have long seemed unable—or unwilling—to meet companies where they currently are in terms of size, risk management maturity, and more. They’re also extremely complex, excruciatingly onerous to roll out, and really expensive. Between implementation costs, consulting fees, and change orders, the total cost for many solutions are several orders of magnitude larger than Agile GRC solutions—despite the obvious shortcomings.
All of these have created textbook market conditions for smaller, more innovative players to enter and make inroads.
The marriage of need and technology
Finally, many GRC functions still conduct risk and compliance processes in a manual, ad hoc fashion. Standardization and optimization of processes—hallmarks of Agile GRC—are the first of many steps that companies can take to improve GRC speed, efficiency and effectiveness.
Companies want to “level up” their risk and compliance efforts by becoming smarter, faster, and leaner without sacrificing effectiveness. These are the forces giving rise to the insurgence of Agile GRC. There are myriad reasons for this: data breaches in the news every week, new privacy regulations emerging around the globe, a wider and more complicated web of threats, and more.
Part of Agile GRC’s purpose is making risk meaningful, and impacting the company’s overall strategy in a meaningful way. Through Agile GRC an organization can align risk and compliance management initiatives with its purpose, and in turn all aspects of its strategy (including mission, vision, brand and legacy, to culture, values and people). Agile GRC delivers timely information and forecasting on key business drivers and values beyond the financial impact. The entire organization can act faster and more efficiently to manage risk and compliance needs and proactively find solutions.
GRC’s changing complexion
In recent years, GRC has evolved in response to a number of large-scale macroeconomic events, and business and regulatory changes. In doing so, GRC has continually adjusted its core focus and expanded in scope.
Today, companies face greater uncertainty in a wide array of new and emerging risks. The globalization of competitive markets exposes organizations to a new breed of unexpected risks, leading GRC into a new phase focused on continual monitoring and responsiveness, business decision support, and improved shareholder value. Agile GRC has emerged as a natural fit for this array of future-oriented conditions.
Agile GRC in Practice: ERM at Blue Cross and Blue Shield of Kansas City
The case of Blue Cross and Blue Shield of Kansas City (Blue KC) offers an example of how companies are adopting Agile GRC to help their ERM programs keep up with changing times.
The company recently launched a strategic initiative to evolve how they handle enterprise risk. To help set the new direction, the company brought aboard a dedicated ERM team headed up by Cathy Denesia, Director of Enterprise Risk Management. Her mandate came straight from the C-suite.
Cathy’s mission is to make the ERM program more comprehensive and to move from a financial-based program to a value-based program. She’s also steering the evolution of the program from a reactive risk stance to a proactive stance: one that can identify and assess risks immediately when they appear. This is only possible with Agile GRC.
“We’re looking to help the organization better prioritize current risks and improve allocation of resources to mitigate risks on the horizon,” Cathy says. “We want to establish a risk tolerance level that fits with strategic planning.”
Cathy and her team are also working to refine Blue KC’s taxonomy of risks, as well as the broad buckets the company uses for categorization—Finance, Operations, Business Strategy, Regulatory Compliance, and People and Culture. She’s updating the company’s risk scoring methodology throughout the enterprise to make it more consistent and useful. Ultimately, the end goal is to monitor risk on an ongoing basis, so that trends can be recognized over time.
“We’re working on a standardized risk scoring approach to eliminate subjectivity and create a systematic process,” she adds. “When we plot all our risks on a heat map, it gives us some context and helps us know where to prioritize and devote resources and identify mitigating strategies.”
Where does Agile GRC go from here?
So, what’s next for Agile GRC? Agile GRC is poised to take full advantage of emerging technologies such as blockchain and Robotic Process Automation (RPA). RPA might help companies shift employees away from some of the more routine compliance activities toward value-creating functions. Meanwhile, artificial intelligence could help companies anticipate and proactively manage risk.
Beyond that there are a number of directions Agile GRC could go. Wherever it heads, you can be sure there will be alignment with the core principles of flexibility, trust, efficiency, and customer obsession.