GRC Tuesdays: Get Rid of the Myths, Make a Step towards a GRC Digital Transformation, Part One
In the amazing and exciting years of my life that I’ve focused on topics related to enterprise risk and compliance, I’ve noticed common factors within companies that have made it impossible for them to take a step to digital transformation on governance, risk, controls, and compliance (GRC).
Those factors are based on a series of doubts, misunderstandings, judgments, or obstacles—and all can be defined as “myths.”
Here a list of those myths that I’ve identified. If you’re holding on to some of these myths, just get rid of them. Make a move and support a powerful enterprise risk and compliance strategy.
1.All GRC solutions are the same.
Be careful with this topic. Not all solutions that say they are GRC are truly GRC solutions. Keep in mind the GRC objectives: meet business objectives, safeguard the company, and provide business continuity.
With these objectives in mind, focus on at least these first three principle areas. (Including the fourth is also a great approach.)
- Continuous controls monitoring
- Loss and fraud prevention
- Enterprise risk and audit management
Now you have a better idea of what GRC should do.
2.We can have a GRC solution without a technology solution.
Really? In a Digital World Era, with the Intelligent Enterprise Era now in front of us, how can we “survive” without technology?
I can’t imagine a driver using an atlas to drive from one site to the other, listening to music on a Discman, or a director making decisions without an automated report. So, I can’t imagine a risk, control, and compliance area mitigating their enterprise risk without automated hands to help them to safeguard the company.
3.We aren’t prepared for a GRC solution.
These days, almost all medium/large companies run with technology. Principal areas like finance, human resources, procurement, supply management, and others are operating day by day using automated solutions.
If a risk area doesn’t operate in the same rhythm as the business processes, there is an increase risk that the company will suffer an incident or damage. Then, the discussion has to be to remedy the risk caused by manual controls instead of being worried of the preparation.
You are living already with the risk, so the decision is, how much risk appetite do you have?
4.First we have to clean the house, then we’ll think about GRC.
In all these years, you have been in the same position—what will be different this time? The model is not scalable. You’ll be investing time and cost once again in cleaning, updating, compiling, consolidating, researching, and preparing all the information. Then, three months later you’ll be in the same situation.
Just take advantage of a GRC solution and you won’t be in the situation where you are. Instead, you will respond faster to the circumstances.
Stay tuned here for Part Two.
Read the rest of our GRC Tuesday blogs for tips and info on a variety of subjects ranging from security, the three lines of defense, GDPR, and more.