GRC Myths: 10 Risk & Compliance Management Misconceptions to Avoid [Part 2]

Part 1 of this series debunked some common misconceptions about GRC program development and maturity. We explored why it’s important to establish a management framework that’s integrated across the enterprise, synchronized through standard processes, and supported by technology that enables digitization and automation. This week, we’ll take a look at concerns related to choosing and implementing GRC solutions.

GRC Myths About Tools & Technology

5. All GRC platforms are equal.

OCEG, a nonprofit think tank, popularized the term GRC and defines the discipline as “the integrated collection of capabilities that enable an organization to reliably achieve objectives [governance], address uncertainty [risk management] and act with integrity [compliance].”

However, few management platforms offer meaningful integration between functions, which is a key aspect of enabling enterprise-wide oversight, generating useable data, and empowering strategic decisions around governance, risk, and compliance.

Vendors that claim to have product integration often either piece together in-house and third-party solutions that weren’t designed to work together, or don’t have a flexible data architecture that allows users to configure workflows, task management, and reporting to fit their needs.

True integration facilitates communication and shared data between GRC disciplines, equipping teams and individuals to get the data they need to the right people at the right time. This improves efficiency across the enterprise and facilitates alignment to your organization’s objectives through a shared framework for defining, measuring, and managing risk.

6. It takes too long to implement GRC solutions.

Organizations’ experience implementing GRC technology largely depends on the type of solution they choose. On-premise software or piecemeal products tend to require extended installation and implementation processes.

By contrast, software-as-a-service (SaaS) solutions can accelerate time to value with flexible options that meet immediate management needs but also offer a path to GRC maturity. Look for a scalable system that enables quick wins in a couple of key areas — such as third-party risk, business continuity, or policy management — but also facilitates expansion as capacity or resources allow.

This approach allows institutions to focus on building critical GRC management capabilities at a pace and scope that matches their needs, then leverage initial improvements to work toward program maturity and expand functionality. Using this phased strategy frequently enables organizations to complete implementation in a matter of weeks, capturing significant value from their GRC program within a few months.

As organizations optimize and digitize their management processes, they begin to achieve greater efficiency, agility, and strategic alignment. But it takes a decision to start the GRC maturity journey to get there, and many risk and compliance leaders find that investing in an integrated GRC solution is the most effective way to take the first step and reach their destination faster.

7. GRC solutions are hard to use.

Finding a GRC system that meets your organization’s needs involves due diligence. Making sure you have a clear understanding of each solution’s capabilities, limitations, and implementation and maintenance requirements will be key to finding a good fit. A “blank slate” solution that requires extensive configuration or coding, versus a GRC platform with built-in best practices and workflows, will differ dramatically in ease of use and user experience.

While every organization will have different criteria for specific GRC management categories, it’s also important to evaluate the anatomy of the platform as a whole and aspects that impact usability.

When comparing GRC solutions, look for user-friendly functionality that contributes to easier onboarding and program setup, such as:

• Integration between products
• Configuration options to coordinate with current or desired processes
• Built-in content such as risk and control libraries, risk assessment questions, regulation summaries, etc.
• Pre-built workflows and guided processes
• Dashboarding; ability to monitor GRC activities
• Ability to generate reports
• Training resources

Up Next: Read the conclusion on the costs, benefits, and ROI of GRC initiatives.