We don’t need to channel our inner historian to chart the Governance, Risk and Compliance (GRC) timeline. While organisations have been governed, and risk and compliance managed, for as long as we can remember, the GRC acronym is still a relatively modern-day approach – first entering the common vernacular in 2003. Fast-forward four years and the fledgling concept began shifting through the gears, when the first academic paper on the subject was written by OCEG founder Scott Mitchell and published in the International Journal of Disclosure and Governance – a ground-breaking moment that solidified the three elements and influenced an entire market of software and services.
Since then, the concept of GRC has matured into a vital strategy that helps businesses align activities to business goals, mitigate risk and manage compliance – all of which is set against the backdrop of an ever-changing regulatory landscape and an increasingly connected world. This has triggered a significant shift towards leveraging automated GRC strategies – so much so that the global GRC market is expected to expand to $64.61 billion by 2025.
GRC implementation – What are the top 8 crippling pain points?
Robust GRC platforms that facilitate vital GRC strategies require well planned and executed implementations. However, the process of implementing innovative GRC platforms in an integrated and synchronised manner is often mismanaged –leading to crippling pain points.
- Financial: the rising cost of GRC facilitated by automation makes full-scale implementations a significant financial undertaking – exposing businesses to everything from platform costs and configuration costs to consultant fees and process redesign fees. Failure to budget effectively or a lack of transparency from third-party providers around fees and licencing can jeopardise the whole process and increase risk.
- Time: GRC implementations are never going to be an overnight process. Failure to plan and execute them effectively can result in unnecessary and costly delays. For example, shortcuts taken during the vendor selection process can fail to highlight shortcomings in their execution capability – potentially prolonging the implementation process.
- Scope: businesses sometimes opt for a big bang rather than a phased roll-out. This attempt to enable every solution capability within the GRC tool at the same time increases the risk of complexity and quality of execution. Deprived of the necessary momentum required to achieve traction within the business, the platform will fail to drive cultural change. This might stem from a lack of trust in the platform from executives that demand results or users that want to see quick wins.
- Implementation teams:
i. Internal: project teams sometimes forget they have acquired a configurable, not a customisable, solution. If they possess the flexibility to adopt business processes and create a meaningful customised training roll-out, the organisation will be well-placed to adopt the software quickly and effectively.
ii. External: larger implementations demand a defined decision-making structure. This typically includes a business analyst and a project manager with the technical expertise to advise on the design. This ensures the clients requirements are mapped through each stage of the process and affords the project team the time it needs.
- Leadership: GRC implementations sometimes lack the three Cs: coordination, cooperation and communication. Without the necessary leadership to drive these key interactions between internal and external stakeholders, the whole process could be derailed.
- Silos: organisations often function in silos – isolated business units that invest in bespoke technology specifically developed to address challenges or meet business objectives that are specific to their function. While these tools can gather extensive amounts of data, it’s rarely aligned with the business from the offset. Unless this challenge is addressed during the planning and implementation stages, it will continue to restrict GRC workflows, reporting and transparency. Businesses must, therefore, adopt a holistic approach to any implementation by engaging with relevant internal stakeholders from the planning stage onwards. Failure to do so can cause delays, impact the scope of the project and create cultural adoption challenges.
- Training and communication: an effective implementation requires effective communication. All too often, key decisionmakers lose touch with the business due to poor channels of communication. This common challenge can be mitigated by establishing an internal communication training and testing plan. The best vendors support this by providing integrated customer success e-learning, training materials and onboarding based on the clients specific requirements.
- Intuitiveness: GRC should be everyone’s responsibility. If platforms are designed by risk professionals for risk professionals, businesses will struggle to embed a proactive GRC culture. Therefore, the implementation process must facilitate intuitive functionality that engages the entire organisation.
Realising the value of your GRC investment
To say the GRC market is saturated is an understatement – a market in which one solution on the surface may look much the same as another. So, how can a business guarantee that its investment will pay off? By selecting and implementing a platform that’s right for them. Simply Googling a solution to see how an analyst – who has little or no knowledge of your specific requirements – rated its functionality simply isn’t enough. While functionality is important, it’s not the primary differentiator just because it’s easily comparable; there are three other key factors that you must consider:
- Capabilities: intuitive out-of-the-box platforms are capable of setting a comprehensive benchmark that delivers against industry standards and regulatory requirements. They are also a vital tool for fostering a proactive companywide GRC culture. The unique nature of each businesses means platforms should be fully scalable and configurable using APIs. The degree to which you need to integrate software – if at all – should be defined prior to the implementation.
- Implementation: there is no one size fits all approach towards GRC implementation. To achieve rapid deployment that meets your specific requirements, a third-party supplier must take the time to understand your regulatory landscape and what GRC means to your business. This will help you work in partnership to establish a roadmap that contains clearly defined roles and priorities for each stage and ensures all stakeholders understand what is required – before executing a phased rollout strategy that’s right for you. Adopting a structured approach to implementation will also help you benefit from rapid time to value, allowing you to keep pace with your regulatory requirements.
The project team should also be given careful consideration. Have you been introduced to them during the sales process? What is their methodology? Do they align with your team? Do they understand your requirements?
- Customer care: GRC partnerships should be enduring. The dynamic nature of the three elements – and the tools used to manage them – makes the ongoing training and development of staff a key consideration once the implementation has been successfully completed. Furthermore, as your requirements evolve with your business needs, the platform needs to adapt with you. Empowering your admins to handle this continued growth in configuration requirements is critical, this is achieved either via a flexible platform or bulk service days included in the contract.
Join our webinar, When GRC Implementation Goes Horribly Wrong, can help you to learn how you can realise the value of your GRC investment and get practical tips and guidance to help you get a step ahead in choosing the right platform for your organisation.
You can trust Camms with your GRC requirements from the demo to the moment you go live – and beyond. Camms.Risk, our comprehensive out-of-the-box platform is equipped with the agility required to keep pace with the evolving demands of GRC; and our collaborated approach to implementation ensures your business benefits from integrated solutions in risk, strategy, projects and people without delay – allowing you to make the right decisions, manage risks and align the talents of your business.
We will also continue to empower your business to succeed once the switch is flicked to go live, thanks to Camms.College – a comprehensive digital resource that allows you to access everything from virtual consulting and reporting to online training and webinars.