Agile GRC, Part I: What Can Risk and Compliance Learn From Agile Software Development?

The concept of Agile GRC has gained currency in cybersecurity and corporate governance circles over the last couple years. In this two-part blog series, we’ll unpack the meaning of Agile GRC, examine the attributes that Agile GRC technologies have in common, and provide a reference point for GRC tech buyers to consider.

Agile GRC has some disparate definitions. It has been described as everything from the logical marriage of needs and technology to a disruptive force in the world of governance, risk management, and compliance, destined to change the face of corporate governance forever.

If one thing is certain, it’s that risk and compliance managers need to know what it involves and what it means for them. So what is it really? Let’s dive in.

Agile GRC: A Working Definition

Agile GRC is a methodology to approach governance, risk, and compliance that helps companies manage their risk and compliance needs with speed and accuracy in the face of change and uncertainty. Like all approaches to GRC, Agile GRC’s chief aim is to protect the organization against risks, comply with regulations, and enable the company to make the right decisions. But it also bears a number of markings that separate it from its non-agile brethren. 

“The reality is that GRC can be agile and not a behemoth of cost," says GRC Expert Michael Rasmussen in a recent blog post on the topic. "There are a range of solutions in the market that are highly agile with ease of configuration and adaptability."

Before we explore what sets agile solutions apart, it’s important to recognize that Agile GRC is a term of art. It isn’t the same thing as Agile, the project management methodology—though the two share a few characteristics, such as responsiveness, flexibility, and collaboration. 

It’s also commonly defined by what it is not. Agile GRC is frequently held up as the antidote to legacy GRC solutions and the headaches they cause due to rigidity, implementation time, and expense. We’ll dig into that later in this post.

Where Did Agile GRC Come From?

Agile GRC is loosely derived from Agile Software Development and the tenets found in the Agile Manifesto.

The tenets of agile development include prioritizing...

...individuals and interactions over processes and tools.

...working software over comprehensive documentation.

...customer collaboration over contract negotiation.

...responding to change over following a plan.

Applied to software, the Agile Manifesto also identifies 12 primary principles (found here) of agile development. While not every principle is a direct carryover, many have informed Agile GRC as a discipline. Some of these principles include:

• Satisfy the business through early and continuous delivery of valuable GRC programs.
• Welcome changing requirements, even when your GRC processes are “live." Agile processes harness change for the customer's competitive advantage.
• The business stakeholders and GRC practitioners must work together daily throughout the project.
• Continuous attention to technical excellence and good design enhances agility.
• At regular intervals, the team reflects on how to become more effective, then tunes and adjusts its behavior accordingly.

Flexibility, the voice of the customer, and efficient collaboration are common threads that have obvious applications to GRC. With an Agile GRC approach, GRC practitioners are able to experiment and iterate on their ideas, and ultimately achieve the business goals they seek more quickly. In the next section, we’ll look at how that’s achieved.

Attributes of Technology that Enable Agile GRC

What characteristics do Agile GRC solutions share that separate them from other options on the market? We’ve broken those down into a few core areas, listed below.

Agile GRC solutions are…

• Usable. A core feature of Agile GRC solutions is their focus on user experience. Business users should be able to configure and expand the system on their own, without need for technical help. Thus many Agile GRC solutions tout their status as “no code”—allowing business users to manage organizational change, regulatory change, and risk change on their own. While this may sound like merely a nice-to-have design feature, Usability actually enables business to move more quickly and gives the business user unprecedented access to self service.  The tool’s user-friendliness has the potential to shape behavior and “nudge” people to do the right thing for the company and its risk and compliance program.
• Scalable. Agile GRC solutions can be implemented to support small enterprises all the way up to large, complex, multinational organizations. Not only that, but they are also able to expand along with the growth of the company. This means the company never “grows out” of its GRC tool because it can evolve with them.
• Flexible. Just as the tool can scale with the growth of the company, so too can it be adapted to a broad array of use cases. Its flexibility further applies to its ease of integration with other systems, as well as its ability to be upgraded to keep up with evolving demands and future-proof the company against emerging threats.
• Reportable. Agile GRC is further characterized by the depth of its analytics, reporting, and dashboarding features. These grant managers the ability to see at a high level what is going on with their overall GRC program, as well as drill down to see what’s going on at the ground level. Agile GRC puts managers in the cockpit of their programs, and makes it easy for them to communicate upward and outward the company’s status, risk posture, and more. Insights gleaned from the different levels of analysis create greater power to align GRC efforts to the company’s overall mission and purpose.
• Affordable. From licensing and implementation to ongoing maintenance and management, the total cost of ownership of Agile GRC tends to be a fraction of the legacy solutions. Fees for change orders and other maintenance become a thing of the past.

By facilitating transparency, completeness, and alignment with the company’s overall mission, these emerging technologies serve as enablers for Agile GRC to further change the way companies make decisions and help them fight another day.