Friday, January 23, 2015

GRC Methodology vs. Technology

Go back to the old chestnut of "people, process, and technology" to address business issues and it works in the GRC as well.

Digital technologies bring significant opportunities and risks in today’s businesses. Hence, GRC (governance, risk management, and compliance) plays a more important role in running an effective organization. GRC methodology vs. technology, how to balance them right in improving organizational agility and maturity?

Technology is merely a tool, not the driver. Technology is a means to work smarter and not harder and that should be one of the many factors when considering a GRC solution. For an organization embarking on a GRC journey - the GRC program, always remember it's a journey - and it might be good to start at the top with risk culture (awareness, environment, oversight, etc.) as a key consideration as well. You cannot automate all aspects of GRC, however, you can and should automate all areas that don't require human intervention. Just manually keeping records of risks, treatment plans, findings etc. would be completely untenable for the majority of organizations. Identifying which control activities related to which compliance requirements.

You must know what's available and what you need before you can possibly manage GRC effectively. If you've been put in a situation where technology is in place, take a step back and make sure it's the right solution. The folks using the technology will be able to tell you what works and what doesn't. One major complaint about GRC solutions is that most of them can't keep up with the new regulations - they may have the data but can't update their software fast enough. Keep that in mind as you choose a solution. Delivering information about the status of risks to all risk owners at all levels in an organization would be equally challenging. So you can't automate human judgment or decision making, but you can certainly automate a lot of the mechanical activities in GRC.

GRC are actually a collection of processes. Indeed, many of the elements of those various processes could be automated. Compliance is a consequence of applying governance and risk management towards a selection of suitable (internal & external) mandates and standards; nobody gets it all right all the time. It is a question of balance. There are situations where technology was not properly utilized and, conversely, technology was not utilized. Both had results that were not optimal for the situation at hand. The judgment is required to consider, install, operate, and utilize any GRC function, whatever its technological capability is. That judgement requires a human brain at present.

There is no such thing as "technology alone" - the human factor is crucial. But technology can automate mundane business processes and allow you to maximize the efficiency in areas where technology can not replace the human touch. Can you achieve any level of GRC without automation? Can you achieve any level of GRC without people? Culture and awareness are the most critical aspects of GRC, and can only be implemented in humans. You cannot have effective GRC without them. Technology is an enabler and makes things possible that would not otherwise be possible, but you can implement GRC without it.

So, go back to that old chestnut of "people, process, and technology" to address business issues and it works in the GRC world as well. Organizations become over-complex than ever, so applying some very robust tools well is essential to GRC implementation. However, it is critical to look at leadership, culture, staff training, existing processes, and existing technology first, make improvements if necessary, then determine whether new tools would be a good addition to the mix.


Post a Comment