The GRC Evolution: Integrating GRC into your Core Operating Model

Governance, Risk & Compliance (GRC) technology has come a long way over the last 20 years. Risk management has evolved from a siloed activity required to achieve compliance to an integrated process that enables organisations to align risk with enterprise performance & strategic objectives to ensure long term growth & sustainability.

This GRC transformation journey has been fuelled by advancements in technology. Even 5 years ago, GRC platforms were often compliance focused – implemented to ensure that organisations were managing risk and mandatory obligations in line with regulatory requirements. The platforms were often clunky and slow and required a lot of bespoke coding and professional services fees to implement. In these legacy solutions it was tricky to change reports & dashboards and amend fields & functionality without involving the vendor – resulting in unexpected costs. The platforms were often siloed from the organisations main operating model – resulting in conflicting data, duplication of effort, and no alignment with operational performance & strategic objectives.

The official definition of GRC as found in the OCEG GRC Capability Model is defined as a capability to reliably achieve objectives (Governance), while addressing uncertainty (Risk Management), and acting with integrity (Compliance). As the GRC market evolves, more organisations are restructuring their GRC programmes – using risk management as a means to achieve their strategic objectives. Of course, companies still need to implement controls to mitigate the most critical risks, but they also need to take well thought out ‘calculated’ risks to achieve their goals.

In this blog, we will delve into how GRC technology has evolved over the past 15 years and explore what this new era of GRC maturity will mean for companies.  We will examine the key benefits of integrating GRC with strategic planning & enterprise performance and explain how the latest GRC technology enables organisations to take the right level of risk to achieve strategic objectives & improve performance.

How has GRC technology evolved?

When the first era of GRC platforms were introduced, they were mainly driven by the introduction of Sarbanes-Oxley (SOX) back in 2002. This mandatory requirement affecting the financial services sector required companies to implement vigorous internal controls and in-depth financial reporting to establish governance and ensure accountability. These were often bespoke or siloed solutions that were introduced purely to meet these new requirements. Over time these solutions evolved to enable multiple departments to work from an integrated platform to manage risk, controls, policies, audit, compliance, and risk assessments, but there was still little integration with other business systems and the platforms required a lot of custom coding.

About 5 years ago a new wave of highly configurable low-code or no code platforms hit the market. These platforms offered best-practice templates, frameworks, and forms ‘out-of-the-box’, and companies can easily configure further to meet individual requirements themselves. Clunky legacy platforms were consigned to the past, and these highly intuitive new platforms were enabling multiple employees to feed into the GRC programme through simple web-based portals – seamlessly linking management teams to front line employees on the first, second and third line. More recently GRC platforms have continued to evolve – harnessing artificial intelligence to interpret risk data and automate processes.

So where will this exciting market go next?

As GRC platforms further evolve, we will see GRC become further integrated into core business operations. Organisations will link GRC activities to their strategic goals & enterprise performance metrics. This will enable companies to take risks that have a positive impact on their long-term goals, and still avoid key risks that severely affect performance.

So… what does this next wave of GRC mean for organisations?

The next stage of GRC evolution involves the complete integration of GRC into everyday business processes. GRC platforms would essentially evolve into the organisations holistic ‘business system’. The platforms would still offer all the great features they currently provide across risk management, compliance, audit, and IT & third-party risk, but they will also offer the ability for organisations to plan and execute their strategy, manage & deliver a whole host of projects, and to understand overall enterprise performance. It is only by managing all of those aspects in one platform and making those important linkages between risk & compliance and strategic goals & enterprise performance that a company can truly make the right decisions.

Strategic planning would no longer be the domain of boardroom executives, of course they would start the process by outlining the top-line goals & objectives. But these goals & objectives would then be captured in the platform and broken down into a series of smaller tasks, projects, and actions and allocated out across the business for completion with clear step-by-step plans, timelines, and budgets. As the strategy progresses – and tasks and actions are completed and logged in the system – progress is shown at all levels, allowing the next stakeholder to start the next phase of the strategy. Management can easily view strategy progression through a variety of reports & dashboards. Any risks to achieving strategic goals & objectives can be captured as part of the risk management framework & managed accordingly to keep the strategy on track.

All risks that could prevent the organisation from achieving their strategy are captured & monitored in the platform and relevant controls are implemented and checked regularly. By managing both risk & strategy in the same platform, organisations can easily understand the impact of risk on their strategic goals & objectives and put controls in place to ensure their strategy remains on track. The data captured can also allow organisations to take calculated risks in pursuit of their strategic goals and objectives. Businesses can’t grow & mature and achieve their goals without taking some degree of risk, so it is important that they have the data to understand the likely impact – enabling them to decide if the risk is worth taking. These more advanced technology platforms will provide all the data required to make those informed decisions.

Evolving your GRC programme is not just about understanding how GRC aligns with strategic goals & objectives, it is also about understanding how risk & compliance relate to enterprise performance. Enterprise performance data is held in a whole host of different company systems & spreadsheets. Having business performance data integrated into their GRC platform will help an organisation to understand – ‘when the risk level was high, was enterprise performance affected?’ The future of ‘GRC’ will see organisations capturing enterprise performance data in their GRC platforms to understand the impact of risk or non-compliance on overall enterprise performance. This data is invaluable for decision making, for example, a control might fail, and a risk might actually happen, but if overall enterprise performance remains unaffected, maybe the control wasn’t needed. Similarly, if there is a period of non-compliance or an operational failure that negatively impacted operational performance this would be highlighted within the system and then it could be logged as a risk and the necessary controls could be implemented. Having this link to operational performance will help organisations to justify spend on controls and mitigating actions, and budget holders are able to see the connotations of not implementing that control.

But how will enterprise performance data be captured in GRC platforms? Most modern platforms offer API integrations with other systems & data sources making it easy for organisations to pull in operational & financial data that reflects enterprise performance. Data can also be captured through tasks, actions, questionnaires, and surveys that can be rolled out to staff of all levels to capture information as part of their daily role. As online forms are completed by frontline staff, leaders can build a complete picture of operational performance and link it back to risk & compliance.

In the next 5-10 years, GRC platforms will likely no longer be the domain of risk & compliance teams, instead personnel of all levels would have tasks or actions relating to aspects of risk & compliance, strategic objectives, and business performance – all captured in one holistic business system.

The next generation of GRC solutions will become modern business performance platforms that are embedded more deeply within business processes – instead of disjointed systems adding disconnected layers of complexity.