Managing Change is the Greatest GRC Challenge

Change is the single greatest challenge for organizations in the context of governance, risk management, and compliance (GRC). Managing the dynamic and intricate web of change and how it impacts the organization is driving organizations toward improving their approach to governance, risk management, and compliance (GRC) in the context of the organization’s enterprise architecture.

The challenge is the compounding effect of change. Organizations have change bearing down on them from all directions that is constant, dynamic, and disruptive. Consider the scope of change organizations have to keep in sync:

  • External risk environments. External risks such as market, geo-political, societal, competitive, industry, and technological forces are constantly shifting in nature, impact, frequency, scope, and velocity.
  • Internal business environments. Within, the organization has to stay on top of changing business environments that introduce a range of operational risks such as employees, 3rd party relationships, mergers & acquisitions, processes, strategy, and technology.
  • Regulatory environments. Regulatory environments governing organizations are a constant shifting sea of requirements at local, regional, and international levels. The turbulence of thousands of changing laws, regulations, enforcement actions, administrative decisions, rule making and more has organizations struggling to stay afloat.

Managing change across risk, business, and regulatory environments is challenging. Each of these vortexes of change is hard to monitor and manage individually, let alone how they impact each other and the organization. Change in risks bear down on the organization, regulator oversight and requirements increase, and all of this has a direct impact on the organization’s internal processes, people, and technology. As internal processes, systems, and employees change this impacts compliance and risk posture. Change is an intricate machine of chaotic gears and movements that make the aspects of GRC challenging in organizations. Keeping current with change and keeping the organization aligned is the most significant challenge in a GRC strategy.

Broken Process and Insufficient Resources to Manage Change

Change is overwhelming organizations across industries. Organizations are past the point of treading water as it actively drowns in organization, risk, and regulatory change. GRC alignment and reporting is a moving target as organizations are bombarded with thousands of changes. The amount of change coming at organizations is staggering.

The typical organization does not have adequate processes or resources in place to monitor change that impacts GRC. Organizations struggle to be intelligent about risk and regulatory developments, and fail to prioritize and revise policies, and take actionable steps to be proactive. Instead, most organizations end up fire fighting trying to keep the flames of change controlled. This handicaps the organization that operates in an environment under siege by an ever-changing external and internal organization landscape. Organizations that GRC 20/20 has interviewed in the context of GRC change management reference the following challenges to process and resources:

  • Insufficient headcount and subject matter expertise. Change related to GRC areas has tripled in the past five years. The effort to identify all of the applicable regulatory, risk, and organization changes is time consuming, and organizations are understaffed. Most have not added FTEs or changed their processes despite the continued increase in change.
  • Frequency of change and number of information sources overwhelms. The frequency of GRC information sources and updates is challenging to sort through and find what is relevant and significant to the organization. Organizations often subscribe to and utilize multiple sources of GRC intelligence that take time to go through and process to identify what is relevant.
  • Limited workflow and task management. Organizations rely on manual processes dependent on documents, spreadsheets and emails that lack accountability and follow-through. It’s not possible to verify who reviewed a change, what actions need to be taken, or if the task was transferred to someone else. This environment produces a lack of visibility to ongoing GRC management—the organization has no idea of who is reviewing what and suffers with an inability to track what actions were taken, let alone which items are “closed.” GRC documentation is scattered in documents, spreadsheets, and emails in different versions.
  • Lack of an audit trail. The manual and document-centric approach to GRC change lacks defensible audit/accountability trails that regulators and external auditors require. This leads to regulator and auditor issues who find there is no accountability and integrity in GRC records in who reviewed what change and what action was decided upon. The lack of an audit trail is prone to deception, individuals can fabricate or mislead about their actions to cover a trail, hide their ignorance, or otherwise get themselves out of trouble.
  • Limited reporting. Manual and ad hoc GRC change processes do not deliver intelligence. Analyzing and reporting across hundreds to thousands of scattered documents takes time and is prone to error. This approach lacks overall information architecture and thus has no ability to report on the number of changes, who is responsible for reviewing them, the status of business impact analysis, and courses of action. Trying to make sense of data collected in manual processes and thousands of documents and emails is a nightmare.
  • Wasted resources and spending. Silos of ad hoc GRC change monitoring lead to wasted resources and hidden costs. Instead of determining how resources can be leveraged to efficiently and effectively manage change, the different parts of the organization go in different directions with no system of accountability and transparency. The organization ends up with inefficient, ineffective and unmanageable processes and resources, unable to respond to change. The added cost and complexity of maintaining multiple processes and systems that are insufficient to produce consistent results wastes time and resources, and creates excessive and unnecessary burdens across the organization.
  • Misaligned organization and GRC agility. GRC change without a common process supported by an information architecture that facilitates collaboration and accountability lacks agility. Change is frequent in organizations and coming from all directions. When information is trapped in scattered documents and emails, the organization is crippled. It lacks a full perspective of change and business intelligence. The organization is spinning so many GRC plates it struggles with inefficiency. The organization cannot adequately prioritize and tackle the most important and relevant issues to make informed decisions.
  • No accountability and structure. Ultimately, this means there is no accountability for GRC change that is strategically coordinated and the process fails to be agile, effective, and efficient in use of resources. Accountability is critical in a change process — organizations need to know who the subject-matter experts (SMEs) are, what has changed, who change is assigned to, what the priorities are, what the risks are, what needs to been done, whether it is overdue, and the results of the change analysis.

Providing 360° Contextual of GRC and the Organization

Mature GRC requires an understanding of the business – its strategy, organizational structure, processes, risks, obligations, commitments, and objectives.  The goal of GRC is to enable the organization to govern the organization and manage risk and compliance in the context of business.

Achieving GRC maturity requires a GRC architecture that leverages an understanding of the organization and how it operates. GRC architecture is a process by which the organization has a structured understanding of the organization’s business, capabilities, processes and business context, and use it as a foundation to ensure that GRC processes are executable, repeatable, cost effective and in line with risk appetite. In doing so, the organization has the means to assess the efficiency of their programs and align them with the organization’s strategy. The mature GRC program will define and understand GRC as a process to translate business vision and strategy into effective enterprise-wide GRC oversight and alignment.

GRC 20/20 Resources to Assist In GRC Design & Maturity

The following research resources are available to assist organizations in GRC design and architecture choices:

Making Sense of GRC Related Technology & Solutions

Every organization does GRC (governance, risk management, and compliance), but it does not mean that every organization does GRC well. Complicating this is a maze of GRC technologies. Some are built to solve very specific problems, others focus on department/function wide management of GRC related activities, some are enterprise platforms for a specific purpose (e.g., enterprise policy management, third party management, risk management). And some are Enterprise GRC platforms to try to bring everything together in a single architecture. But then many fail, often watering down GRC to the lowest common denominator and frustrating those in the trenches of business and the back-office of GRC. As a result, many organizations have begun approaching GRC architecture and allowing for a core system to be the hub that integrates with best of breed GRC solutions where they make sense.

Adding to this is the maze of over 800 GRC technology solutions in the market across 17 primary segments of GRC domains with many sub-segments in each. The primary segments are:

  • Enterprise GRC Platforms. Capability to manage an integrated architecture across multiple GRC areas in a structured strategy, process, information and technology architecture (see How to Purchase Enterprise GRC Platforms).
  • Audit Management & Analytics. Capability to manage audit planning, staff, documentation, execution/field work, findings, reporting, and analytics (see How to Purchase Audit Management Solutions & Platforms).
  • Automated Control Enforcement & Monitoring. Capability to automate the detection and enforcement of internal controls in business processes, systems, records, transactions, documents, and information.
  • Business Continuity Management. Capability to manage, maintain, and test continuity and disaster plans, and implement these plans expected and unexpected disruptions to all areas of operation.
  • Compliance Management. Capability to manage an overall compliance program, document and manage change to obligations, assess compliance, remediate non-compliance, and report (see How to Purchase Compliance Management Solutions & Platforms).
  • Environmental Management. Capability to document, monitor, assess, analyze, record, and report on environmental activities and compliance.
  • Health & Safety Management. Capability to manage, document, monitor, assess, report, and address incidents related to the health and safety of the workforce and workplace.
  • Internal Control Management. Capability to manage, define, document, map, monitor, test, assess, and report on internal controls of the organization.
  • IT GRC Management. Capability to govern IT in context of business objectives and manage IT process, technology, and information risk and compliance (see How to Purchase IT GRC Management Solutions & Platforms).
  • Issue Reporting & Management. Capability to notify on issues and incidents and manage, document, resolve, and report on the range of complaints, issues, incidents, events, investigations, and cases.
  • Legal Management. Capability to manage, monitor, and report on the organization’s legal operations, processes, matters, risks, and activities.
  • Physical Security Management. Capability to manage risk and losses to individuals and physical assets, facilities, inventory, and other property.
  • Policy & Training Management. Capability to mange the development, approval, distribution, communication, forms, maintenance, and records of policies, procedures and related awareness activities (see How to Purchase Policy Management Solutions & Platforms).
  • Quality Management. Capability to manage, assess, record, benchmark, and track activity, issues, failures, recalls, and improvement related to product and service quality.
  • Risk Management. Capability to identify, assess, measure, treat, manage, monitor, and report on risks to objectives, divisions, departments, processes, assets, and projects (see How to Purchase Risk Management Solutions & Platforms).
  • Strategy & Performance Management. Capability to govern, define, and manage strategic, financial, and operational objectives and related performance and risk activities.
  • Third Party Management. Capability to govern, manage, and monitor the array of 3rd party relationships in the enterprise, particularly risk and compliance challenges these relationships bring (see How to Purchase 3rd Party Management Solutions & Platforms).

While there is such a breadth of GRC related solutions in the market, many organizations are still encumbered by a labyrinth of chaos in manual processes using documents, spreadsheets, and emails for many of these areas. The disconnected silos of manual GRC processes encumbered with documents, spreadsheets and emails are not sustainable and lead to exposure, failure, and loss. Unfortunately, organizations are quick to react to this and often find themselves neck deep in a GRC platform rollout before thinking through their overall strategy, process, information, and technology needs.

The problem with how many organizations approach GRC (remember, everyone does GRC whether you use the acronym or not) is that it has not been designed properly, particularly when it has been designed around the capabilities of a specific platform. Too often organizations are letting a GRC platform define their GRC strategy instead of letting their GRC strategy shape their GRC platform and architecture. Organizations end up with significant risk gaps within their operating models despite significant investment in ‘leading’ GRC platforms that are scattered and disconnected across the business. This has resulted in a poor return on investment in GRC related projects that fail to drive value or opportunity that GRC transparency should create.

GRC projects fail when:

  • Lack of a GRC strategy and understanding of processes.
  • Letting a GRC solution/platform define your GRC strategy, processes, and information.
  • GRC platforms that under deliver to the range of needs and processes.
  • Trying to meet the needs of departments with a solution that is not flexible that forces everyone to manage GRC to the lowest common denominator.
  • The needs of one department with budget overshadow the needs of other departments.
  • GRC platform implementation that goes over budget and misses deadlines while draining resources.
  • GRC platforms that require extensive and costly build-out to achieve capabilities the organization thought were native in the product.
  • GRC platform that does not integrate well with other systems.

Organizations that have went down the wrong path with a GRC technology strategy may be ready to throw in the towel and call it quits. The truth is the organization can never abandon GRC as it is something every organization does.  It may be done poorly, it may be done well, but every organization does GRC if they call it GRC or something else. While a technology strategy and GRC platform may be scrapped and the organization may retreat to old manual processes, it does not change the fact that the organization has a duty and responsibility for GRC.

There are a couple of key upcoming events to be aware of that can assist organizations on their GRC strategy and the role of technology in that strategy, these are:

  • Findings from the OCEG GRC Technology Strategy Survey. OCEG engages GRC 20/20 to design this survey, analyze the findings, and build the written report. The webcast for this survey is on January 21st.
  • State of the GRC Market Research Briefing. This is GRC 20/20’s flagship Research Briefing that is 2 hours in length and goes into the details of drivers and trends in GRC, market segmentation and forecasting, RFP scopes and trends, and buyer inquiries and what organizations are looking for. This is on February 1st.
  • Enterprise GRC by Design Workshop. This workshop aims to provide a blueprint for attendees on effective enterprise GRC strategies in a dynamic business, regulatory, and risk environment. Attendees will learn enterprise GRC strategies and techniques that can be applied across the organization. The next one is in Rhode Island, CT, USA on February 18th.

Spreadsheets in Financial Control Processes

Also GRC 20/20 is working on a specific research project focusing on the regulatory scrutiny (e.g., SOX) of spreadsheets in financial control processes.  Organizations are facing increased pressures to ensure that they have adequate controls over end user computing controls, particularly spreadsheets. This is very apparent when spreadsheets are used as part of accounting processes. The Public Company Accounting Oversight Board (PCAOB) has requested auditors to increase their focus on ‘System Generated Data and Reports’ driving the application of so-called ‘enhanced audits’ of Sarbanes Oxley (SOX) control processes. This scrutiny is leading to new SOX failings for companies that had previously had no such failings. In particular, these enhanced audits are exposing the role of spreadsheets in context of Internal Control over Financial Reporting (ICFR) and the fact that such spreadsheet controls are often open to manual manipulation.

This survey is intended to gather organization awareness and concern of spreadsheet controls in context of ICFR, audits and PCAOB scrutiny.

[button class=”kopa-button big-button color-button” link=”” target=””]TAKE SURVEY[/button]