GRC’s Mission Hazards: How to Avoid Choosing the Wrong GRC Software
Matt Kunkel | July 20, 2020
If the world of risk management was evolving at a blistering pace before COVID-19, the pandemic has only supercharged the speed of change.
A recent report from the World Economic Forum (WEF), COVID-19 Risks Outlook: A Preliminary Mapping and Its Implications, uncovers the many reasons for this acceleration, as well as the sorts of risks the pandemic would create or exacerbate. The WEF surveyed 347 risk analysts to see how they would rank major risks the world could face in the aftermath of the pandemic.
According to these analysts, virtually no corner of the global economy will emerge unscathed. Among the analysts’ many concerns:
A drawn out disruption of global supply chains
Cyberattacks and data fraud due to shifts in work patterns, including remote work
Regulation of new technologies
A breakdown of IT infrastructure and networks
In other words, the governance, risk management, and compliance industry is at a crossroads that arrived sooner than expected. The number of security, regulatory, risk, and compliance challenges an organization faces has increased at a rapid pace, which means the job of risk professionals is only growing.
Unfortunately, GRC technology hasn’t always kept pace with the breakneck speed at which risks and regulatory environments are changing. Business leaders continue to face the challenge of developing and incorporating a solid GRC strategy that addresses a quickly evolving regulatory landscape, siloed business units, and disparate technology, but they’re doing it with the wrong tools.
And that was before COVID-19.
Modern GRC Tools Aren’t Getting the Job Done
When legacy systems require code changes, ongoing maintenance, and attention from dedicated tech teams, they also lead to skyrocketing costs—especially as an organization and its requirements grow. Most current technology within the $35 billion GRC market can’t adequately support the programs on which businesses depend and is woefully inadequate for meeting evolving risks and regulatory challenges.
On the journey to keeping up with or -- even better -- outpacing the speed of risk, there are certain mission hazards that every company should watch out for. They are:
Stubborn Rigidity: While razor-tight timing and tolerances measured in micrometers are necessary for space travel, GRC needs flexibility—one size never truly fits all. Yet too many current GRC products offer only rigid frameworks unable to expand beyond their original scope without significant, time-intensive, and expensive changes. When a company and its existing GRC programs don’t fit the model exactly, those platforms lose their effectiveness.
(Lack of) Visibility: Picture NASA mission control: flight engineers in short-sleeve button down shirts and neckties and horn-rimmed glasses, all with their eyes glued to flight metrics and chattering into their headphones. Also pictured: the complete understanding of how their particular domains influence the success of the overall mission. Everyone has complete visibility on everything that’s going on with the mission. In the world of GRC, disconnected processes and lack of transparency undermine the overall system, causing control gaps and redundancies to go unnoticed.
The Frankenship: In their quest for a holistic solution, GRC professionals often cobble together rigid frameworks designed for single applications and wind up with solutions that resemble Dr. Frankenstein’s monster. Point solutions, spreadsheets, and manual approaches bolted and stitched onto existing platforms create a task unto itself: simply operating and maintaining such an unwieldy, complex platform. It doesn’t help that many of the tools and processes intended to manage compliance are themselves clunky and a chore to work with. What initially appeared to be the perfect GRC solution quickly becomes unsustainable, undependable, and expensive.
Siloed Functions: There’s a reason why astronauts stay tethered to the ship during spacewalks. In GRC, on the other hand, teams often create processes that would only work in a vacuum. This often happens in response to a specific event—a data breach, litigation, new regulation, investigation, audit feedback—but with little thought about how those processes work within the greater dynamics of the business. Siloed departments lead to inefficiencies, redundancies, and inaccuracies when different teams manage risks without collaborating. The disconnected systems store data inefficiently and muddle its retrieval for audit or analysis, making it harder to clearly understand the company’s risk position. Lacking a centralized platform can lead to hours spent on manual processes and the onerous, time-consuming task of sifting through a tangle of emails and spreadsheets when auditing or analyzing data.
Internal Influences: These can be as diverse as the mission itself. A lack of board-level oversight or program management and few (if any) enterprise-wide standards and protocols can all cause a GRC program to dismantle mid-flight.
External Influences: In mission planning, astronauts must account for the chance that the universe may send some unpredictable influence that causes the mission to go awry. GRC practitioners recognize the need to do the same, but still get tripped up by outside influences. These can include expanded government regulations, new technologies, the rise of competitors, and emerging threats.
Poor User Experience: Don’t be fooled into thinking good design is just window dressing. An intuitive and enjoyable user experience can ensure that the right GRC policies and procedures are executed every time and to completion. Not convinced? Just ask the crew aboard the International Space Station. NASA research has shown that design improvements to the ISS’s interior and flight controls have led to a happier, healthier, and more productive crew. Poor design around risk management, data collection, and organizational communication has also been widely cited as a contributing factor to the Challenger and Columbia disasters.
What’s Needed for a Successful GRC Program Today?
So, now that we know what to watch out for, how do we become proactive stewards of risk and compliance management? To start, we have to think beyond what’s around the corner. GRC’s role will continue to expand well into this decade and far beyond. GRC technology that can support innovative, robust GRC will continue its evolution to automate and streamline audit, risk and compliance management processes; to help import, aggregate, and process information gathered from incredibly diverse sources; and to route this data for reporting and visualization.
GRC strategies with the flexibility to adapt to and incorporate this latest technology will revolutionize businesses’ ability to evaluate, analyze, and quantify risk comprehensively across the organization. Most importantly, GRC’s return on investment will shift fundamentally. Once thought of asset protection, it will evolve to be seen as a revenue generating endeavor.