Steve McGraw, the GRC president for SAI Global, regularly speaks on risk management and GRC topics; when he does, he often pairs the terms "flexibility" and "GRC." As I look ahead to 2013, I've been talking with several GRC and risk management thinkers to get their thoughts on how the discipline may change in the next 12 months. I posed several questions to McGraw about flexibility.
What is "GRC flexibility" and what are its advantages?
Steve McGraw: GRC flexibility is enabled when a company can use a common platform comprised of modular applications to support global, ever-changing requirements. Benefits of utilizing a solution that provides this flexibility include greater utility value and ease-of-use, as well as reduced overhead. Even organizations that are motivated by a specific need, such as incident management in response to increasing risks from whistle-blower allegations, can benefit from utilizing a flexible solution that addresses the immediate need and offers the flexibility of expansion in support of future requirements.
As business becomes more distributed, it can be more challenging to manage compliance and risk. Utilizing a flexible, common GRC platform can make this management more efficient and manageable. Once inefficiencies, redundancy, errors and potential risks are identified, risk exposure can be reduced and performance can be enhanced for the organization.
At a high-level what are the key enabling components of GRC flexibility?
McGraw: A key enabling component of GRC flexibility is the presence of a common technology architecture or platform. When a common architecture is in place, many functions can be managed through a single platform. For example, applications to handle incidents, policies and procedures, laws and relations, corrective action plans and other GRC functions can all be integrated, allowing for multiple departments within an organization to share the same data to manage GRC across many offices and geographies. Once information is no longer stored in different silos, these departments can better integrate and ensure they have the most accurate and up-to-date data available to protect the organization.
From a technology perspective, what are some "dos and don'ts" that GRC professionals developing organizational GRC flexibility need to consider?
McGraw: First, do conduct an evaluation of your current and future GRC needs. When implementing a new GRC strategy, you must realize that it's not just for the present, but also must be able to expand to account for future needs.
Don't forget to consider worldwide offices. If your organization is international, each office shouldn't run off of their own platform with a different strategy. Just as you want your solutions to be integrated, your global GRC strategies must be integrated as well.
Do consider all departments. When working in a single organizational department, we can forget that there are many different departments within the business that are measuring their own GRC activities. Internal Audit, Compliance, Enterprise Risk Management and Third-Party Risk Management are just a few. When adopting a flexible GRC strategy, you should wonder how a modular deployment of solutions that leverage a common platform will benefit these departments, and ensure that each group's needs are covered. Even if your initial deployment is focused on addressing a single, urgent issue for one department, take a few extra steps in the beginning to set the stage for the future.
Don't be overwhelmed by the project. It may seem daunting to overhaul a GRC strategy, but you must focus on the end goal and execute one practical phase at a time. In the end, the organization will enhance business agility and performance and reduce overhead. Evaluating current strategies and changing as necessary to get everyone on the same track can be a large project, but one that will be worthwhile in the end when every department can work off an easy-to-use, common platform.
Related Articles:Risk Chat: How to Improve the Risk Information You Share with the Board
Whistle-Blowers Not a Top Concern