Tuesday, December 30, 2014

What is the Driver of GRC

Culture and awareness are the most critical aspects of GRC, and can only be implemented in humans.
The important characteristics of digitalization are over-complexity, uncertainty and ambiguity. Hence, GRC (governance, risk management, and compliance) becomes more critical than ever. Here's the context; how should GRC programs be approached? Should technology be a driver? Can you achieve any level of GRC without automation? Can you achieve any level of GRC without people? What is the real driver of GRC”?

Technology is merely a tool, not the driver. They are simply tools that make the process more reliable and (to an extent) faster. Without the GRC talent,  the "automated" software that being applied would be useless. For an organization embarking on a GRC journey, the GRC program, is a journey - and it might be good to start at the top with risk culture (awareness, appetite, attitude, environment, oversight, etc.) You cannot automate all aspects of GRC. However, you can and should automate all areas that don't require human intervention. Just manually keeping records of risks, treatment plans, findings etc. would be completely untenable for the majority of organizations. Identifying which control activities related to which compliance requirements, as any one control can apply to several requirements. Delivering information about the status of risks to all risk owners at all levels in an organization would be equally challenging. Though you can't automate human judgment or decision making, but you can certainly automate a lot of the mechanical activities in GRC.

Governance, risk, and compliance are not a single process, but a collection of processes (and other governance mechanisms, such as roles). Indeed, many of the elements of those various processes could be automated. However, any GRC software solution is only a tool to assist in the administration of the function; people still have to decide how to best apply a tool and incorporate the tool into their system. The greatest risk is evident during the human intervention and decision-making not during automated interface. A good compliance system must have morals and ethics incorporated into it, something a software application cannot do! On the other hand, these types of applications do make the administrative tasks of the function much easier to handle and less work intensive. Technology is a means to work smarter and not harder and that should be one of the many factors when considering a GRC solution.

It is a question of balance. When technology is not properly utilized, it has results that are not optimal for the situation at hand. Judgment is required to consider, install, operate, and utilize any GRC function, whatever its technological capability is. That judgment requires a human brain at present. There are some automated compliance monitoring tools that work very efficiently and effectively, but the applicability of an automated solution would depend on the situation within the organization. Always go back to that old chestnut of "people, process, and technology" to address business issues and it works in the GRC world as well. It is critical to look at culture, staff training, existing processes, and existing technology first, make improvements if necessary, then determine whether new tools would be a good addition to the mix. Overall, compliance monitoring software may be a beneficial aspect of a GRC program, but it can't and won't be a silver bullet for compliance woes.

Culture and awareness are the most critical aspects of GRC, and can only be implemented in humans. You cannot have effective GRC without them. Technology is an enabler and makes things possible that would not otherwise be possible. Technology is a tool that is either used properly as a way to help manage, but there is no such thing as "technology alone" - the human factor is crucial. But technology can automate mundane business processes and allow people to maximize efficiency in areas where technology can not replace the human touch. But governance can not be completely automated, governance is a fundamentally human activity.

And in the end, you must understand a task to be automated before you automate it. But technology plays the more significant role than ever, either for GRC program or for business as a whole. This is the 21st century, GRC without automation became impossible about the same time the first accounting programs were released. Technology is a necessary tool, but not sufficient criterion for GRC. Either in the form of basic productivity tools such as spreadsheets and databases, or in purpose-made applications, to simplify the massive data acquisition and reduction tasks associated with GRC (which includes, but does not subsume, governance), automation has been defined as:
1) the technique of making an apparatus, a process, or a system operate automatically
2) the state of being operated automatically
3) automatically controlled operation of an apparatus, process, or system by mechanical or electronic devices that take the place of human labor.

Human behavior, the desire for simple results, etc. seems to continue to make the "TOOL" the ANSWER, rather than what it was developed to help do. That kind of focus, and vendor marketing to promote their products as the answer rather than a tool, perpetuates the false hope for a one size fits all solution. Regardless of the subject, process, etc. automation is only a "TOOL." It is never the answer to the process. Humans must use that information based upon the process developed to make wise decisions and manage GRC effectively.


Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More