A recent Protiviti thought paper highlights a number of challenges associated with government, risk and compliance (GRC) and provides insights about lessons learned from their experiences in working with a number of organizations in their GRC implementations. The paper also provides a number of suggestions for preventing, preparing or responding to those issues.

What are GRC Solutions?

In order to understand GRC solutions, it is important to first understand the meaning of the terms governance, risk and compliance. Protiviti defines these three terms as follows:

  • Governance – an executive approach to oversight and management
  • Risk – tracking probability of specific harms  
  • Compliance – tracking compliance or regulatory obligations (both internal and external)  

GRC solutions assist organizations in overseeing and automating processes. These tools can reduce redundant activities, produce more reliable data, and increase the automation of processes. Overall, studies show that GRC solutions can help organizations achieve considerable cost savings. In simple terms, GRC solutions consist of the following four GRC tool life cycle phases: Tool Selection, Deployment, Scope Change, Maintenance. Even though this thought paper touches upon all four of these phases, the main purpose of the paper is to highlight potential issues that arise during phases of Scope Change and Maintenance and to provide suggestions about options for preventing, preparing or responding to those issues.

Tool Selection & Deployment

Whenever an organization decides to implement a GRC solution, it needs to have a clear vision of what it wants to achieve with the implementation, have overall goals, and well-defined functionality requirements. Using a top-down approach can help an organization determine the risks and the way they should be handled. The implementation of GRC tools is a rigorous process, which starts at an initial process planning and ends when an organization achieves an optimized and efficient functioning of the GRC tool.

Scope Change

This phase of GRC tool life cycle occurs when other departments within an organization “become aware of the features and capabilities of any given GRC solution already being used for another function.” This can occur for several reasons, such as role shifts or employee transfers. Regardless of the cause for Scope Change, there are several potential issues than can arise. Protiviti describes few important ones and suggests methods for dealing with them.

  1. Infectious Spread - Implementing “too much, too fast” can create a problem of not being able to keep up with the ever-changing nature of the project. Some of Protiviti’s suggestions are creating GRC workflows for more than just core business functions, defining goals, prioritizing, not limiting requirements to one tool, and using consistent processes during the development. 
  2. Difficulty Obtaining Management Buy-In – In some cases it can be difficult to gain full support of management because of concerns such as cost, maintenance, training or security. For this scenario, it is important to perform demonstrations and test runs and ensure sufficient and flawless communication within the organization. 
  3. Increased Resources – Any scope change is prone to additional resource requirements. The means to deal with this issue are testing for possible IT problems and preventing human conflicts. 
  4. Cloud – Considering the sensitive nature of most GRC solutions, storing GRC data in the cloud can often cause many issues mostly related to security and data storage. It is important to define clear contracts with the vendors and put back-up procedures in place. 
  5. Unexpected Costs – During an extensive project such as a GRC tool implementation, unexpected costs should be expected and accounted for already during the initial planning and budgeting.  
  6. Integrating Tools – In cases when tools do not work together properly, additional tools and software needs to be created to achieve correct software interaction. 
  7. Internet-Facing Components – Issues can occur when determining the access of third parties to the organizations GRC solution. Access procedures and policies need to be established to achieve adequate protection. 

Maintenance

This last phase of the GRC tool life cycle can often be misjudged and do not receive appropriate attention, however, there are issues that need to be considered in this stage as well. The following are some of the common issues that can occur:

  1. Tool Ownership – Who should be responsible for the GRC tool? This responsibility should belong to a department that can handle this comprehensive task in the best way. In most organization, where GRC is predominantly an IT support tool, the IT team will take on this responsibility.   
  2. Too Many Administrators – The organization needs to be careful when distributing the rights and access for the GRC tool. There is a risk of accidental or malicious modifications of the GRC data. Any data access capabilities should be monitored, recorded and retained for certain time period.   
  3. Security Concerns – Security costs should be expected in a case like this. Periodical maintenance is an efficient way of preventing security flaws and additional related costs.   
  4. Business Continuity/Disaster Recovery – When the GRC tool becomes an essential part of an organization, requirements for business continuity are more complex and allowable downtimes are very limited.  
  5. Reporting Requirements – No matter what the actual change of reporting requirements is, effective communication throughout the organization is essential in this case.  
  6. Usability/Training – Sufficient training is necessary for both the administrators and the end users to prevent any major problems and their possible consequences. In addition, it is very important to review organizational changes and determine modifications or improvements to the GRC tools.   
  7. Documentation – Appropriate documentation needs to be developed to ensure continual improvement and reliable performance throughout the organization. Some good examples of GRC documentation are: run book, administrators’ cheat sheet, data maps, user guides, test plans and process flow diagrams. 

Conclusion

GRC solutions can be very powerful tools for today’s businesses, but they require appropriate execution and maintenance. The issues mentioned in this thought paper are just few of many that can occur during the GRC life cycle and therefore it is important to continuously monitor GRC tools and ensure their proper performance. The suggestions and guidance presented in this paper are designed to help organizations be ready for GRC implementation, avoid common mistakes, resolve issues and ensure correct performance of their GRC tools.

Click below to download the thought paper.