There is no shortage of tools available touting comprehensives solution to an organization's governance, risk and compliance needs: According to vendors, organizations can just plug the tool into the network and watch all their GRC concerns drift away.
These claims just aren't realistic, primarily because every organization has its own unique risks and compliance mandates. One big mistake is purchasing
"Every organization should focus on understanding its needs and requirements, rather than seek a mythical GRC solution," said Marks, who was the conference chair at the GRC Summit Boston earlier this month. "If you need risk management, focus on that. If you need to improve audit management, address that. If you have a variety of needs, list and prioritize them, then get the best overall solution."
Companies must understand how the business operates and functions, then manage risk and compliance based on these contexts.
chief GRC pundit, GRC 20/20 Research, LLC.
Too often, GRC strategy and purchasing decisions are not based on the organization's unique needs, infrastructure and corporate culture, said GRC Summit speakers. And despite vendor claims, there is no one GRC solution to rule them all.
Companies make mistakes when it comes to choosing technology, Marks said, because for many companies GRC stands for "governance, risk and confusion." GRC has different definitions for different organizations, so companies have to be careful about picking a solution.
"Since there is no commonly-accepted definition of GRC, those seeking 'GRC-centric' software will be confused by the variety of solutions from vendors claiming to have GRC software," Marks said.
Instead, more organizations are turning to multiple solutions to meet their GRC needs, said GRC Summit keynote speaker Michael Rasmussen, OCEG Fellow, CCEP, GRCP, CISSP. Some organizations will leverage a core platform that handles about 40% of GRC operations, with the other 60% handled by several other systems that are "best of breed" for different departmental needs, Rasmussen said.
Rasmussen encouraged businesses to build a unique GRC strategic plan that aligns with specific business goals when choosing these tools. Businesses should investigate risk processes, company information and business culture -- virtually all aspects of the organization -- and how they relate to governance risk and compliance, Rasmussen said.
"Part of the GRC strategy is how do we build information and technology architecture so that there's better insight into our business and what's happening with that information? How do we give different roles access to relevant information to do their job?" said Rasmussen, who is "chief GRC pundit" for GRC 20/20 Research, LLC.
While there are a variety of GRC-centric technologies available, organizations need to understand that information technology is uniquely personal and woven into every thread of employee workdays, said Lance Freedman, strategy lead for the Space Systems Company Finance and Business Operations at Bethesda, MD-based Lockheed Martin Corp.
"It is my opinion that GRC business results are achieved in degrees of friction proportional to the human experience of using these technologies," Freedman said. "Taking time to study business and customer strategies can help an organization with its decision-making on the right tool."
Companies should also use open communication to gauge whether GRC technology is working, he added.
"If nobody is asking the right questions about the user experience and how well the tools are supporting business processes, an organization just looking at quantitative metrics could have blind spots about the effectiveness of the tools," Freedman said.
Adaptability key to GRC
One common theme from speakers at the GRC Summit was that when developing GRC architecture, organizations have to be able to adapt to change. It's no secret that new, industry specific compliance regulations are constantly being developed, and existing ones evolve quickly. Companies must constantly adapt processes and training as emerging technology is developed and incorporated into GRC strategy.
"You might be current in all your regulations and know what's changing in the environment, but all that knowledge does nothing when somebody who just came into the organization was not properly trained on policy and procedures for compliance," Rasmussen said. "Understanding business change is critical."
As a result, maintaining accurate, up-to-date GRC strategy information that is communicated and coordinated throughout the company is vital to sound business. Lack of organization can be hugely detrimental to GRC: The speed of business allows sensitive business information to build quickly, and outdated data can easily get shuffled in with important information to make audit management extremely difficult.
More on GRC strategy
Evolution of GRC requires new approach to governance strategy
Use technology to your regulatory compliance advantage
"From a technology and information architecture perspective, a lot of programs out there are struggling because we have hundreds and thousands of spreadsheets and documents and emails and things scattered on Sharepoint sites, and that's how we are managing GRC," Rasmussen said.
It's important to remember that most corporate risk is multi-faceted: When something goes wrong in one department, chances are it will negatively influence others. This goes for solutions as well, however. Remember to look inside your organization for risk management and compliance best practices that can transferred across departments.
"Most important, companies must understand how the business operates and functions, then manage risk and compliance based on these contexts," Rasmussen said.
This was first published in April 2013