Dreaming of the Ultimate GRC Platform . . .
In today’s rapidly evolving corporate landscape, the need for an enterprise view into Governance, Risk Management, and Compliance (GRC) is more pronounced than ever. One that truly addresses the official definition of GRC, found in the OCEG GRC Capability Model, that GRC is a capability to reliably achieve objectives (governance), address uncertainty (risk management), and act with integrity (compliance).
As the industry analyst that first framed and defined GRC and the GRC market for software and services on a cold snowy day in February 2002 (while at Forrester Research, I spent 7 years there and now 17 years competing against Gartner and Forrester), I have seen GRC technology evolve. There are 69 solutions that I cover deeply in my market analysis, and over 200 others that I monitor in the market. While there are some great solutions in the market, many that I deeply admire and recommend, there is no perfect solution that brings it all together.
Too often GRC platforms are either built, or just deployed, backwards. They are CRG platforms, or just CR platforms, or too often C platforms that do not understand the R and the G.
In envisioning the ideal GRC platform, we dream of a platform that not only addresses current needs but also anticipates future challenges, thereby revolutionizing the way organizations address and integrate governance, risk management, and compliance. There will always be a need for GRC architecture where best-of-breed solutions and content can integrate. But the overall command and control center that brings this together still needs some work. Some GRC solution providers are well on their to address this, but no one has arrived. Of course, with technology continuously evolving, will we ever arrive? It is a continuous journey.
Here is my wish list for the Ultimate GRC Platform . . .
- Uniting Board Portal Excellence with Strong Governance. The dream begins with a solution that excels in integrating the board portal with robust governance mechanisms that filter down into strategy, performance, and operations. This system should provide an intuitive interface for board members, ensuring seamless access to vital information, fostering effective decision-making, and promoting transparent governance practices. The ideal platform will serve as a cornerstone for board-related activities, offering a blend of security, user-friendliness, and comprehensive functionality.
- Currently, there is one primary solution provider in the market that is focused on this and a few others that have some capabilities.
- Strategy, Performance, and Objective Management. Central to this GRC platform and architecture is a deep capability focused on strategy, performance, and objective management. One that enables the organization to define and map corporate strategy, define objectives, and monitor performance against those objectives. Remember that the G in GRC is governance, which is the capability to achieve objectives reliably. Objectives can be entity-level objectives and drill down into division, department, process, project, asset, or even third-party/supplier objectives. Objectives can be financial, performance, operational, ethical/value, compliance, and more. GRC starts with objectives when done correctly. However, most solutions do not cover this. This element ensures that the GRC processes are not just regulatory checkboxes but are intrinsically linked to the organization’s strategic objectives and performance indicators. Doing so aligns GRC activities with the company’s broader goals, creating a cohesive and forward-looking approach.
- Currently, there are two solutions in the market that I monitor that do this well. Others may have some very rudimentary capabilities, but it is more of an after thought than anything of real value.
- Also, I get frustrated when I see solutions/modules for ESG that start with ESG risks and not objectives. That is putting the cart before the horse. I DO NOT recommend solutions for ESG (see more below) that start with a risk-centric view.
- Elevating GRC and ESG Reporting. A critical feature of this dream architecture is its prowess in GRC and Environmental, Social, and Governance (ESG) reporting. The number one complaint on nearly all client reference calls of GRC platforms is reporting. Nobody likes the reporting. NOTE: Dashboards are not reports; they are different. Acknowledging the common denominator in client feedback – the need for enhanced reporting capabilities – this solution must offer sophisticated reporting tools. These tools should cater to various stakeholders, including the board, regulators, and internal teams, ensuring clarity, assurance, and alignment with organizational goals.
- Currently, there is one solution that comes to mind that excels in reporting (again, not dashboards) in the market for GRC, ESG, and compliance reporting.
- Risk Quantification & Visualization. Honestly, this needs A LOT of work. Every platform is marketing risk quantification, but most get it wrong, terribly wrong. And many are very broken when it comes to things like risk normalization and aggregation. Myself, I am a big fan of bow-tie risk assessments and visualizations (I am a right-brain risk thinker), and I respect Monte Carlo analysis and other risk quantification methodologies (but many solutions have a half-baked attempt at Monte Carlo analysis). Solutions that can bring both together excite me, but few do.
- Currently, there are a handful of solutions that I feel truly do risk quantification and visualization well.
- Addressing Operational Needs in GRC. This dream solution dives deep into the operational aspects of GRC, encompassing enterprise and operational risk management, internal control, compliance, ESG management, audit, policy management, and more. It comprehensively addresses the intricate, day-to-day elements of GRC, ensuring no aspect is left unmanaged.
- This is an area where many solutions do things well in specific areas. Some are great at EH&S, others great at IT risk management, others at continuity and resilience, others at third-party risk. Some have done very well across these domains in GRC.
- Integration with Specialized GRC Solutions. Understanding the diversity in GRC needs, this platform/architecture would no just stand-alone but would seamlessly integrate with best-of-breed solutions specializing in areas like third-party risk, IT risk, and Environmental Health & Safety (EH&S) when and where it makes sense. This integration ensures that organizations benefit from specialized expertise without sacrificing the cohesion of a unified GRC platform.
- Some solutions excel at their ease of integration with other systems, whether GRC specialty/domain-specific solutions or broader business systems. Others do not integrate so well.
- Leveraging AI in Cognitive GRC. At the heart of this architecture lies a next-generation, AI-driven #CognitiveGRC platform. This system uses artificial intelligence appropriately and effectively across various GRC processes, enhancing predictive capabilities, automating routine tasks, and providing deeper insights. The platform may also connect with AI best-of-breed solutions that focus on specific GRC areas, such as regulatory change management or third-party risk intelligence, harnessing the power of technology to drive smarter, more efficient compliance and risk management.
- We are seeing a lot of shifts in the market right now. Some have acquired CognitiveGRC capabilities to extend their GRC platform, others have partnered, and others are building this. Unfortunately, there is a lot of smoke and mirrors regarding AI. There are some great solutions delivering value, but there is also a lot of marketing hype for what may exist and be developed.
- Built on Agile, No-Code, Low-Code Principles. Finally, the foundation of this GRC dream is an #AgileGRC architecture, developed in a true #nocode and #lowcode environment. This approach ensures that the system is not only advanced and robust but also highly configurable and adaptable to an organization’s specific needs. Such flexibility is crucial in a dynamic business environment, allowing companies to respond swiftly to changes without being hindered by their GRC systems.
- This is a huge frustration for me. Some “low-code” solutions are really hiding behind marketing where they are still “high-code.” Others advertise themselves as “no-code” but are completely rigid and not agile. They may be a beautiful platform, but you cannot adapt it to your business, you have to adapt your business to it.
- The true “no-code” solution is highly configurable and agile to adapt to the organization’s needs. A handful of solutions in the market are truly addressing this, while others slap these terms on for marketing and not reality.
In conclusion, the envisioned GRC platform of the future is more than just a tool – it’s a strategic partner for organizations, adeptly navigating the complex world of governance, risk, and compliance. With this dream architecture, we are not just solving today’s challenges but are also paving the way for a more adaptable, intelligent, and integrated approach to GRC in the future.
Have a question on GRC solutions in the market that are the best fit for your particularly needs? Ask GRC 20/20 as we offer complimentary inquiry to help you navigate the breadth and depth of solutions available in the market . . .
Check out these upcoming Research Briefings on the market . . .
April 29 @ 10:00 am – 11:30 am CDT
April 8 @ 10:00 am – 12:00 pm CDT
Here is an on-demand Research Briefings on the market . . .