GRC Myths: 10 Risk & Compliance Management Misconceptions to Avoid [Part 1]

  • November 19, 2020
  • Quantivate

Getting stakeholder agreement on a coordinated approach to governance, risk, and compliance (GRC) management is no easy task. Budget, buy-in, departmental silos, and existing processes and tools (or lack thereof) can all stand in the way of pursuing GRC program maturity.

Yet, apart from these challenges, many organizations fail to consider the return on investment from and business benefits of an integrated, technology-enabled GRC program. In this series, we’ll explore some of the most common pitfalls risk and compliance leaders fall into when discussing GRC initiatives or improvements.

GRC Myths About Program Development & Maturity

1. We can get by without a GRC program.

This assumption places organizations in a precarious situation. Every business is managing governance, risk, and compliance at some level, whether or not they have a formal program. Implementing an enterprise-wide GRC framework is a necessity in today’s operating environment and needs to go beyond a “tick-the-box” approach to avoiding major risk events or maintaining compliance.

The events of 2020 have been a case in point, particularly for institutions in regulated industries. Between a pandemic outbreak, economic instability, and a pivot to remote working, many risk and compliance teams found themselves scrambling. There were business continuity plans to update, risk management and mitigation strategies to reassess, policies to create and revise, regulatory changes to review.

Without a preexisting, centralized system for risk and compliance management, many institutions struggled to adapt to new operational risks and business challenges. Perhaps the biggest argument in favor of a GRC program is that it serves as a success enabler, equipping organizations to navigate uncertainty, pursue growth, and identify risks worth taking and risks to avoid — key capabilities in any circumstances, but crucial during times of change.

2. Manual GRC management is good enough.

Manual GRC programs — often managed using spreadsheets, shared files and drives, and other disconnected methods — may get the job done for a time. But it’s likely that employees are spending dozens, if not hundreds, of combined hours on individual assessments, reports, and reviews.

This level of effort is not only burdensome and unsustainable, but also doesn’t deliver timely data access and analysis. With important information siloed across departments, data duplication and inconsistencies are a given, and extracting any trends or insights is next to impossible. This prevents risk and compliance managers from providing your executive team or board with the kind of oversight and aggregation they need to make informed decisions.

Starting on the path to digital transformation and GRC program automation can make a measurable difference. Research from the finance sector indicates that organizations achieve greater efficiency when they prioritize digital initiatives that enable “a big-picture look at risk management’s overall organization, governance, and performance management.” Implementing improvements such as enhanced monitoring and automated reporting can increase the productivity of specific risk management activities by 40% or more.

3. Each department can manage its own GRC activities.

This approach may work up to a point, but eventually siloed management across areas such as ERM, compliance, business continuity, and IT security will produce duplicate or inaccurate data, complicate reporting, and may even conceal potential risks.

Taking an enterprise-wide view of GRC — often achieved through technology solutions that provide cross-functional data integration — enables business units to share a common framework for defining and assessing risk and highlights critical dependencies across your organization. In turn, this improves executive oversight and eliminates redundant administrative activities, reducing the time, effort, and resources required for GRC management.

4. We’ve completed our GRC initiatives.

GRC isn’t a “set it and forget it” project, but a continual process. Effective GRC management must be an ongoing, cross-functional effort that evolves to accommodate organizational changes and shifts in the risk and compliance landscape.

Organizations that realize the most value from their GRC program often opt for a phased journey to GRC maturity. After establishing processes and technology infrastructure in one or two functional areas, you can start defining the scope for each additional business unit in your GRC plan, establish points of integration, define terms of cross-functional collaboration, and allocate resources for future program expansion.

In Part 2, we’ll explore three more myths about GRC technology. Subscribe for blog email updates using the form at the top of this page to receive the next installment of the “GRC Myths” series.