Why Is GRC So Difficult?

GRC is difficult. Some of the largest organizations that are successful in various other facets of business struggle to implement and maintain a fully functioning and effective GRC program. It’s true that all GRC programs are subject to the Golden Triangle: People, Processes, and Technology. But, so are many other technologies. Over decades, areas like ERP technology have seemingly overcome their hurdles.  How is GRC different from any other major business technology area?

Standardization may be key to a technology area’s implementation and operational success. Standardization and agreed upon best practices in each area cut down time and help drive success. Specifically, standardization consists of elements and procedures that are organized in a way that ensures they are easily understood, consistently followed, and constantly improved by all team members.

Of the three legs of the Golden Triangle, technology is the easiest one to implement standardization. Though competing GRC platforms differ in many ways, just about all of the leading platforms have embraced technology standards such as the ability to deal with data in XML format and REST APIs.

The next easiest leg to standardize would be processes; however, GRC has now been around for almost 2 decades and most areas of GRC have yet to establish agreed upon processes that are used across the industry. Even within a single GRC platform that comes with a set process out of the box, it’s common to see three different clients with that platform using 3 different processes. GRC platforms are highly customizable, and despite recent momentum toward using the platforms as they come, few organizations follow through with that rhetoric.

The reason GRC processes aren’t standardized may very well be because of the the leg of the triangle: People. People and change are the enemies of standardization. People are unpredictable, and they often have their own interests and motivations.

In fact, two of the three letters in the GRC acronym stand for areas that are highly susceptible to change or susceptible to the varying motivations of people: Governance and Compliance

Governance, the way organizations distribute authority and manage the decision making process,  is heavily exposed to people and groups’ preferences, politics, personal agendas, and competing motivations. Compliance is heavily exposed to change, with ever evolving requirements and frameworks being handed down from governing bodies.

Further, GRC terms, taxonomies, methods aren’t agreed upon. This means more decisions need to be made, and this opens the door to people and change.

So we’ve established that a lack of standardization is problematic for GRC, and this tendency is often being driven by people and change. What can businesses do to overcome these problematic influences? Well, that depends on how the business is implementing and operating their GRC program.

Some businesses desire to run their entire GRC program completely from the inside with hired talent. (ThisFAIR On-A-Page: Same Great Model, Fresh New Look approach is sometimes problematic for other reasons, but that is a topic for another article). In order to avoid the pitfalls that can be brought about by the excessive forces of people and change, businesses attempting to do everything on their own should work to leverage standards and defined governance and taxonomies wherever possible. They should consult with their peers and ask questions like, “in area ABC, we’re considering adding complexity to achieve XYZ. Did you also perceive a need for XYZ, and have you done anything similar?” They should perform market research, and try to use common terms and taxonomies wherever they can. They should also find and use authoritative industry sources that drive standardization where possible. These can include things like NIST’s Risk Management Framework or the FAIR Risk Taxonomy, as seen here.

Because the problems we are discussing are often driven by the people leg of the triangle, businesses might want to consider bringing in a neutral third party for help.  Besides the obvious benefits of additional knowledge and experience gained, bringing in a firm that specializes in GRC and Integrated Risk Management can help drive standardization by having a party who is outside of internal politics and motivations, and who can bring forward a full set of  knowledge material on which to drive normalization. This material can include, but is not limited to:

  • Terms,
  • Methodologies,
  • Technology,
  • Taxonomies, and
  • Processes.

Another, and possibly the most advantageous way to leverage standardization also happens to be the most powerful way to leverage external resources, skills, knowledge, and technology – engaging GRC Managed Services.

As Cential Partner Jannie Wentzel and I recently discussed on LogicGate’s “GRC and Me” podcast, Transformative Risk Management accounts for the fact that more and more, businesses are accelerating their growth by focusing on what they do best while simultaneously improving the cost and effectiveness of their non-core business areas. Rather than trying to do everything, businesses are focusing on doing what the do well by partnering with experts in non-core business areas and gaining ability and standardization in those areas at a lower cost. This also allows them to access and contribute to the risk data cloud, gaining insight and building herd immunity for shared ecosystem risks upstream and downstream.

While fairly new, more and more businesses are realizing that their best path to effective GRC is through GRC Managed Services, which provide all of the benefits of increased capabilities, pre-built technology, and standardized processes, governance, terms, and taxonomies – with ramp up times that are a fraction of trying to build (or repair) an in-house GRC program. They’re realizing they’re already part of a shared risk ecosystem, and they need to leverage the benefits of that ecosystem if they’re to remain competitive.

GRC is difficult for the reasons discussed above. But, it doesn’t have to be that difficult. Regardless of the route taken, leveraging one of the techniques above will go a long way to ease the strain of building and maintaining an effective GRC program.

Interested in learning more about Cential’s GRC Managed Services? Contact Us.