An increasing number of companies are integrating governance, risk management, and compliance (GRC) principles into their overarching business strategies. But many organizations lack real practical experience when it comes to implementing a GRC framework, resulting in the potential for some major snafus.
Unfortunately, many organizations underestimate the complexity of GRC frameworks. Let’s explore a few GRC decisions that are virtually guaranteed to backfire.
GRC Decision #1 – You Didn’t Leverage GRC Software and Tools
GRC software provides a company with essential data and metrics — information that is critical for sound, data-driven decision-making practices. These GRC tools collect and centralize data, allowing for comprehensive analysis and data visualization. These platforms are essential for overcoming the departmental silos that tend to exist within a company, allowing for an overarching view of an issue.
Good GRC decisions are driven by data. GRC software tools provide you with that data. Without this information, you could find yourself making critical GRC decisions while viewing just a portion of the big picture. This is a recipe for disaster; one that may not backfire immediately, but eventually, problems will arise.
On the issue of GRC software, understand this: technology is no substitute for a well-developed GRC framework. There is no magical software platform that can take the place of strategy sessions and careful considerations of your risks, policies, procedures, and compliance requirements. Use GRC tools to enhance these processes — not as an alternative to them.
GRC Decision #2 – You Underestimated the Importance of Compliance
As your organization developed its GRC strategy, the decision-makers paid little attention to the issue of compliance because they underestimated its potential impact. In fact, a GRC approach should revolve around the issue of compliance, since the other two components of GRC — governance and risk management — are largely affected by compliance-related matters.
Still not convinced? Consider this: a single data management issue involving a citizen of the European Union (EU) can lead to General Data Protection Regulation (GDPR) fines totaling €20 million or 4% of the company’s worldwide turnover for the prior fiscal year — whichever figure is higher.
Another example of non-compliance can be found in JPMorgan, which was slapped with $200 million in fines after the company admitted it allowed workers to communicate with clients using WhatsApp on their personal mobile devices. This constituted a violation of record-keeping laws, which require companies in this business sector to maintain an auditable log of all communications with clients.
Companies in highly-regulated business sectors, such as finance and healthcare, are at the greatest risk of encountering issues with non-compliance. But all companies must take the issue of compliance very seriously because some risks — such as a GDPR fine — can be handed down to any organization (for example, any company with a website could potentially be subject to a GDPR fine.)
To avoid these pitfalls, consider compliance first as you begin to develop your GRC strategy. Take the time to thoroughly research all of the legal and regulatory compliance issues that you could potentially confront. Then, strategize, develop and implement measures that will reduce risk and maintain governance for each of those specific compliance issues.
GRC Decision #3 – You Don’t Have a Universally-Accepted Definition of Risk
To be successful in the realm of risk management, everyone needs to agree on how risk is defined — only then can you develop an effective GRC strategy. Without an agreed-upon definition of risk, you are highly likely to end up with a fragmented strategy that fails to thoroughly address an organization’s true vulnerabilities and risks.
What’s worse, the absence of a company-wide definition of risk can lead to an environment where many true risks are not even reported. If risk-related events or vulnerabilities are not reported, they cannot be addressed and mitigated. Therefore, what you have — at the end of the day — is a missed opportunity to avert disaster.
In addition to arriving at an agreed-upon definition of what constitutes risk, an organization should also have a defined process in place for reporting risk-related incidents/situations and dealing with those reports. In fact, this dovetails with the next set of GRC decisions that is virtually guaranteed to backfire: poor policies and procedures.
GRC Decision #4 – You Didn’t Implement Well-Defined Policies and Procedures
A company may spend countless hours developing an incredible GRC strategy, but it is virtually useless if the organization lacks the well-defined and well-articulated procedures, policies, and protocols that are critical for putting those strategies into practice. This represents a major GRC-related threat and is one of the most common bad GRC decisions made even though it is absolutely avoidable.
Falling under the realm of governance, a company’s policies and procedures must be developed, clearly articulated, and then shared in a centralized way that resonates with the individuals who are expected to put them into practice.
To avoid this unfortunate pitfall, you must involve representatives from throughout the organization to develop policies, procedures, and protocols that reflect your GRC strategy and your business philosophies as a whole. Do not assume that a particular rule or policy exists in writing. You must perform a comprehensive, in-depth review of the company’s operations to ensure that everything is properly addressed. Best practice is to develop a task force that can periodically revisit the company’s policies, procedures, and protocols to ensure they are thorough and remain relevant.
GRC Decision #5 – You Lack a Method to Quantify Success
GRC requires ongoing attention; it’s not a one-and-done sort of concept. An organization must revisit its GRC framework and strategy on a regular basis. But how do you move forward if you’re uncertain of how effective your GRC-related efforts have been? You need a clear idea of where you’re succeeding, where you’re failing, and where you could improve.
If you lack a method for obtaining an objective measure of success, you’re essentially shooting in the dark with no light to determine if you hit the target or the wall. You need to turn on the light. For GRC, that means establishing key performance indicators (KPIs). These goalposts for success must be quantifiable, specific, and time-bound. Determine what data should be collected and evaluated in order to evaluate how well the organization is achieving an objective. And finally, schedule regular evaluations to determine areas of success and failure.
By properly addressing the important issues of governance, risk management, and compliance, an organization will see across-the-board benefits. But with an issue as complex as GRC, many companies find that they need an experienced guide who can lead the way. At iTech, we have extensive experience in the area of GRC and risk management. We invite you to contact the iTech team to discuss GRC and how our GRC solutions will benefit your organization.