Governance, Risk & Compliance (GRC) technology has come a long way over the last 20 years. Risk management has evolved from a siloed activity required to achieve compliance to an integrated process that enables organisations to align risk with enterprise performance & strategic objectives to ensure long term growth & sustainability.
This GRC transformation journey has been fuelled by advancements in technology. Even 5 years ago, GRC platforms were often compliance focused – implemented to ensure that organisations were managing risk and mandatory obligations in line with regulatory requirements. The platforms were often clunky and slow and required a lot of bespoke coding and professional services fees to implement. In these legacy solutions it was tricky to change reports & dashboards and amend fields & functionality without involving the vendor – resulting in unexpected costs. The platforms were often siloed from the organisations main operating model – resulting in conflicting data, duplication of effort, and no alignment with operational performance & strategic objectives.
The official definition of GRC as found in the OCEG GRC Capability Model is defined as a capability to reliably achieve objectives (Governance), while addressing uncertainty (Risk Management), and acting with integrity (Compliance). As the GRC market evolves, more organisations are restructuring their GRC programmes – using risk management as a means to achieve their strategic objectives. Of course, companies still need to implement controls to mitigate the most critical risks, but they also need to take well thought out ‘calculated’ risks to achieve their goals.
In this blog, we will delve into how GRC technology has evolved over the past 15 years and explore what this new era of GRC maturity will mean for companies. We will examine the key benefits of integrating GRC with strategic planning & enterprise performance and explain how the latest GRC technology enables organisations to take the right level of risk to achieve strategic objectives & improve performance.
How has GRC technology evolved?
When the first era of GRC platforms were introduced, they were mainly driven by the introduction of Sarbanes-Oxley (SOX) back in 2002. This mandatory requirement affecting the financial services sector required companies to implement vigorous internal controls and in-depth financial reporting to establish governance and ensure accountability. These were often bespoke or siloed solutions that were introduced purely to meet these new requirements. Over time these solutions evolved to enable multiple departments to work from an integrated platform to manage risk, controls, policies, audit, compliance, and risk assessments, but there was still little integration with other business systems and the platforms required a lot of custom coding.
About 5 years ago a new wave of highly configurable low-code or no code platforms hit the market. These platforms offered best-practice templates, frameworks, and forms ‘out-of-the-box’, and companies can easily configure further to meet individual requirements themselves. Clunky legacy platforms were consigned to the past, and these highly intuitive new platforms were enabling multiple employees to feed into the GRC programme through simple web-based portals – seamlessly linking management teams to front line employees on the first, second and third line. More recently GRC platforms have continued to evolve – harnessing artificial intelligence to interpret risk data and automate processes.
So where will this exciting market go next?
As GRC platforms further evolve, we will see GRC become further integrated into core business operations. Organisations will link GRC activities to their strategic goals & enterprise performance metrics. This will enable companies to take risks that have a positive impact on their long-term goals, and still avoid key risks that severely affect performance.
So… what does this next wave of GRC mean for organisations?
The next stage of GRC evolution involves the complete integration of GRC into everyday business processes. GRC platforms would essentially evolve into the organisations holistic ‘business system’. The platforms would still offer all the great features they currently provide across risk management, compliance, audit, and IT & third-party risk, but they will also offer the ability for organisations to plan and execute their strategy, manage & deliver a whole host of projects, and to understand overall enterprise performance. It is only by managing all of those aspects in one platform and making those important linkages between risk & compliance and strategic goals & enterprise performance that a company can truly make the right decisions.
Strategic planning would no longer be the domain of boardroom executives, of course they would start the process by outlining the top-line goals & objectives. But these goals & objectives would then be captured in the platform and broken down into a series of smaller tasks, projects, and actions and allocated out across the business for completion with clear step-by-step plans, timelines, and budgets. As the strategy progresses – and tasks and actions are completed and logged in the system – progress is shown at all levels, allowing the next stakeholder to start the next phase of the strategy. Management can easily view strategy progression through a variety of reports & dashboards. Any risks to achieving strategic goals & objectives can be captured as part of the risk management framework & managed accordingly to keep the strategy on track.
All risks that could prevent the organisation from achieving their strategy are captured & monitored in the platform and relevant controls are implemented and checked regularly. By managing both risk & strategy in the same platform, organisations can easily understand the impact of risk on their strategic goals & objectives and put controls in place to ensure their strategy remains on track. The data captured can also allow organisations to take calculated risks in pursuit of their strategic goals and objectives. Businesses can’t grow & mature and achieve their goals without taking some degree of risk, so it is important that they have the data to understand the likely impact – enabling them to decide if the risk is worth taking. These more advanced technology platforms will provide all the data required to make those informed decisions.
Evolving your GRC programme is not just about understanding how GRC aligns with strategic goals & objectives, it is also about understanding how risk & compliance relate to enterprise performance. Enterprise performance data is held in a whole host of different company systems & spreadsheets. Having business performance data integrated into their GRC platform will help an organisation to understand – ‘when the risk level was high, was enterprise performance affected?’ The future of ‘GRC’ will see organisations capturing enterprise performance data in their GRC platforms to understand the impact of risk or non-compliance on overall enterprise performance. This data is invaluable for decision making, for example, a control might fail, and a risk might actually happen, but if overall enterprise performance remains unaffected, maybe the control wasn’t needed. Similarly, if there is a period of non-compliance or an operational failure that negatively impacted operational performance this would be highlighted within the system and then it could be logged as a risk and the necessary controls could be implemented. Having this link to operational performance will help organisations to justify spend on controls and mitigating actions, and budget holders are able to see the connotations of not implementing that control.
But how will enterprise performance data be captured in GRC platforms? Most modern platforms offer API integrations with other systems & data sources making it easy for organisations to pull in operational & financial data that reflects enterprise performance. Data can also be captured through tasks, actions, questionnaires, and surveys that can be rolled out to staff of all levels to capture information as part of their daily role. As online forms are completed by frontline staff, leaders can build a complete picture of operational performance and link it back to risk & compliance.
In the next 5-10 years, GRC platforms will likely no longer be the domain of risk & compliance teams, instead personnel of all levels would have tasks or actions relating to aspects of risk & compliance, strategic objectives, and business performance – all captured in one holistic business system.
The next generation of GRC solutions will become modern business performance platforms that are embedded more deeply within business processes – instead of disjointed systems adding disconnected layers of complexity.
The key capabilities of the next generation of GRC solutions will include:
- Strategy planning functionality – The ability for organisations to plan & execute their strategy within the platform.
- Enterprise Performance – Modern GRC platforms will enable organisations to get a view of enterprise performance and manage projects.
- API integrations – This will enable organisations to be able to pull enterprise performance data into and out of the platform from other business systems, data sources and spreadsheets.
- Data Mapping – Complex mapping to easily understand the impact of risk & non-compliance on strategic objectives and enterprise performance.
- Artificial Intelligence – AI assisted risk analysis to interpret risk data and support decision making.
- Best-practice ERM functionality – Modern platforms will offer best-practice ERM functionality and controls management.
- Workflow automation – Workflows will automate control monitoring, risk assessments, approvals, escalations, and case management.
- Advanced Reporting & Analytics – Modern platforms will offer interactive dashboards to enable all staff to understand their upcoming tasks & actions and offer comprehensive real time reporting for all levels of stakeholder.
- Highly Configurable – Modern platforms will migrate away from complex bespoke implementations and offer low-code or no-code SaaS platforms that are easy to configure and tailor to suit individual needs – without the need for heavy coding and expensive implementation and maintenance fees.
- Business Management Platforms – The new generation of no-code solutions can build out and enable business processes and integrate GRC into those processes – instead of GRC becoming an afterthought or a band-aid.
- Operational Resilience – The future of GRC will see organisations managing operational resilience, business process modelling, and business continuity in the same GRC platform, this alignment enables BCM plans to be triggered based on incidents logged.
The evolution of GRC has been a journey towards more efficient, consistent, and sustainable governance, risk, and compliance processes for organisations. Technology development has played a significant role in automating GRC processes, enabling organisations to align risk management & controls, with organisational objectives. To truly integrate GRC into their standard operating model and manage their strategic plans & business performance, organisations will need to leverage flexible cloud-based GRC platforms, that offer strategic planning and performance management capabilities out-of-the-box.
“By breaking down siloes, and taking a coordinated approach to managing governance, risk, and compliance activities, organisations can enhance their resiliency, agility, and performance. As organisations pursue their objectives in an increasingly disruptive world, an integrated approach to GRC is no longer just a best practice – it is an organisational imperative” – Adam Collins, Camms CEO
Camms is more than a GRC Platform, our GRC capabilities are available as part of a wider business performance platform. Is designed to offer a whole host of functionality that can be used across multiple teams and business functions – enabling organisations to seamlessly integrate business management, processes, strategic planning, project management, and internal control into GRC initiatives and vice versa. The Camms platform is one of the only GRC platforms that offers strategic planning, project management, and business process automation in one platform.
The platform provides one system for the entire company to feed into – automating multiple spreadsheet-based business processes and offering in depth analytics into business performance & operations. Capabilities include:
With Camms, businesses can build a GRC programme tailored to their unique needs and priorities, optimising business performance and taking the right level of risk to achieve their strategic goals & objectives – while successfully controlling and mitigating intolerable risk. Reach out to us for a demo of our GRC platform today to learn how we can help your company to work collectively towards its strategic goals & objectives.