Many organizations are adopting governance, risk and compliance (GRC) technology to help manage their activities in these three areas. This shift continues to be driven by an ever-changing regulatory landscape and an increasingly connected world. GRC solutions automate the collection, correlation and reporting of information to offer a broader picture of how well the company is not only performing, but also how well it is complying with the law and managing risk.
Once you have gone through the arduous process of justifying the investment into GRC solutions and made your choice of available platforms to best fits your needs, the actual implementation piece comes with its own set of challenges that must be considered in advance in order to make things go as smoothly as possible and cause the least amount of disruption. Read on to learn about the 10 most common organizational challenges of a GRC solution implementation and start planning now to address them.
- Determining the key people and their roles early in the GRC process. Waiting to define the team and roles can lead to delays, rework and frustration as a new person coming in may have a different perspective or goal. This is especially important with the sponsors, as they often set the high-level agenda.
- Knowing communication is key! It may seem trite and unnecessary to spell out, but this is often an area where the GRC program derails. When thinking of communication consider:
- Internal stakeholders for planning, progress, guidance, decision making, etc.
- Peers (for guidance, changes, challenges, best practices, etc.
- Implementation teams—both GRC program and possible automation or software—for requirements, overall vision and goals, stakeholders, etc.
- Utilizing the frameworks and guidelines that are available as a litmus test for your program. Frameworks and guidances such as COSO, COBIT, NIST, ITIL, UCF, etc., can provide a great starting point as well as a strong touch point throughout your maturation process to ensure you are considering all aspects of a GRC program.
- Building a network of peers in your field of expertise and industry. Reach out to them for best practices, challenges, changes, guidance, etc. This is the most tangible way to get comfort that the GRC process you are building is considering all aspects that need to be considered.
- Thinking you have to have a fully mature business process to implement a GRC automated program. It is not necessary to have a fully mature business process in place to begin, but do make sure you have a basic understanding of what you want the business process to be—the process can mature over time but a strong starting point will avoid rework and frustration.
- Understanding the processes, data, teams, etc. that are already in place in your organization. There are often very solid GRC areas that can be a great starting point for developing a robust program. For example Internal Audit, SOX, IT GRC, and others have mature business process with defined data taxonomies that can take a GRC program from infancy into maturity much more quickly. Also, as verticals that have strong guidance and leadership around developing GRC programs, they can be strong advocates in an organization and help with the success of the GRC build-out overall.
- Starting at the desired end result and work your way backward. Knowing what reports and dashboards you want helps guide the information you need to capture and how it needs to be structured in order to get to that desired end result.
- Clearly communicating requirements in the RFP or sales cycle. If you decide to automate or implement a software to support your GRC process, it is vital that you make sure you understand exactly what the SOW is committing to and what it excludes. If you aren’t clear on anything push into that area to get clarity. Understanding what is being provided and excluded is key to how well the system will work for you overall as well as providing confidence that the product will meet your needs when it comes to the anticipated core functionality.
- Thinking of the big picture first. If you are automating or implementing a software to support your GRC process, think of the big picture at the beginning and then work toward that. It is reasonable to start small and build out to the full GRC program, but when building out the starting processes make sure the end result is considered in the decisions being made. Not doing so can create unintentional blockages in the process and result in an unsuccessful break down of the organizational verticals that was intended.
- Listening to the advice and guidance of those around you. Whether it is from organizational leadership, peers, outside sources, or implementation teams when automating, this is a key component of a successful implementation. You can then take the information you have received and look at it through the lens of what you are trying to accomplish. Be open to the outside perspectives but make sure it ties into the objectives you are working toward.
Taking on the implementation of one or more GRC solutions is no small feat and there are bound to be unforeseen obstacles along the way. However, by knowing some of the likely challenges in advance and proactively creating plans to address them, you will be better prepared to set your organization up for success.