The Trump administration is already making good on its campaign promise to significantly rollback federal regulations. With change imminent, compliance and risk managers have found themselves in a fast-moving and unpredictable environment.
Regulatory reform poses a unique challenge for compliance and risk teams, who are responsible for keeping up with regulatory changes, ensuring personnel and third parties are aware of their responsibilities, and understanding the complexity of risk management. Facing these mounting difficulties, many enterprises have realized they need to develop more mature governance, risk management, and compliance (GRC) programs.
In late 2015, Gartner conducted a survey of its clients to understand how they are using GRC software to support enterprise risk management efforts. Nearly 40 percent of those surveyed were not using GRC software. In addition, 65 percent were not even familiar with the term “GRC”. However, in Gartner’s 2015 CEO survey, 65 percent of global CEOs and senior executives viewed the level of investment in risk management tools and practices as insufficient.
These surveys and similar research by Deloitte are among many indications that risk management is becoming a business priority at the executive level. Yet, its supporting technologies are underused and poorly understood. Too often, risk management programs are hampered by manual and disparate tools, such as spreadsheets, word processing documents and email. These inflexible, outdated tools are insufficient for audits, unsupportive of change management and often result in high costs as the business grows. Consequently, organizations are quickly realizing these methods will not scale as the risk landscape becomes broader and more complex.
Enterprises, especially those in highly regulated industries, need to shift to a more streamlined and integrated approach to help alleviate the many issues associated with manual compliance and risk management processes. They need comprehensive GRC software solutions, but are understandably hesitant to invest resources into overhauling their existing programs, concerned about compatibility with existing processes, systems, and employee skill sets.
Here are some telltale signs that your organization needs a GRC software solution:
- You are still using spreadsheets to track compliance and manage risks.
- Homegrown tools are slow to change as new risks and compliance mandates surface.
- Your program is slow-to-adapt to rapidly changing regulatory and risk environments.
- The auditor is coming and your compliance team is in panic mode.
- During an audit, you are unable to provide the auditor will requested information such as timestamps.
- A negative incident occurred (data breach, audit failure, or enforcement action) and a more robust risk management, compliance, or IT security program is required.
- The costs of managing compliance and risk have skyrocketed as your organization has grown.
- Producing timely and accurate reporting is an ongoing struggle.
- Gathering and linking historical and environmental data points to understand your risk position is a challenge.
Companies are learning that risks do not solely impact or originate from individual processes, events, and environments. Developing integrated views of risk requires assessing every element of the enterprise value chain, the controls managing those value-creating elements, and how lack of control adherence is introducing risk and curtailing value.
There are purpose-built tools that tackle these problems. These full-featured, cloud-based solutions are called GRC platforms; some analysts call them integrated risk management solutions (IRMS). Best-of-breed GRC/IRMS platforms help organizations coordinate and streamline management of IT risk, vendor risk, compliance and policies, business continuity, and overall enterprise risk management, as well as significantly streamline the associated audit management and evidence-gathering processes. Without such solutions, most companies will incur increasing costs and unnecessary risk.
When selecting a GRC platform, consider key factors like efficiency, flexibility, specific needs, and compatibility with effective operational and transactional systems. Many GRC buyers have found that the ability to quickly build out and maintain the GRC system without consultants and coders is as important as the system being easy for end-users to operate. Here are a few other GRC platform considerations:
- Evaluate ease of use: how quickly it can be implemented and will your employees be able to easily learn and use all the features?
- Assess platform functionality: how do you get information and data into the GRC platform? What can be done with data in the platform? What reporting options are available?
- Identify GRC solutions that enhance your current compliance program: can this solution map policies to regulations? Is it configurable enough to mimic company processes, rather than changing your processes to fit the platform? Will this solution grow with your organization?
In the context of extreme and complex regulatory and risk changes, managing compliance and risk with outdated tools is not only time-consuming, but also potentially risky and expensive. No one claims it will be easy to integrate operations, compliance, risk, security, and audit functions, but taking the time to do this within a GRC platform is worth the effort and will provide benefits unobtainable with manual methods and office tools. Adopting GRC technology will build resilience, enhance efficiency, and optimize operations across the enterprise.