GRC Tuesdays: Get Rid of the Myths, Make a Step towards a GRC Digital Transformation, Part Two
In Part One, I identified four of the myths that I commonly see preventing companies from transforming their governance, risk, controls, and compliance. Today, I’ll reveal the rest in my Top Ten list.
5.IT needs to lead the GRC project.
GRC is powered by technology, but that doesn’t mean that IT will lead the project. The objective of GRC is to centralize all risk management areas (internal control, risk, audit, compliance, it) and unify a single source of the truth to promote oversight of the company.
Because IT knows technology, and risk areas know about risk and compliance activities, in a successful GRC implementation process, they both play a fundamental role in supporting the initiative, while risk areas lead the project.
6.GRC is difficult and takes too much time to implement.
It is true that implementing a GRC solution is a project that is demanding. It demands that you review and update information, business processes, risk maturity levels, business process, owners, and so on. If your company doesn’t have a solid risk and compliance practice, then your GRC project will take more time as you construct that solid infrastructure in order to start taking advantage of the benefits of the solution.
But the good news is that all these pieces are part of the GRC implementation. And you can also start by implementing one module at a time (take a look at the next “myth”).
7.To have the benefits of GRC, I must implement the complete functionality.
One of the benefits of SAP solutions is that they are modular. SAP solutions for GRC are focused on the Three Lines of Defense framework, so you can start by implementing the most mature line (controls, risk or audit) and go from there.
For example, if in your company the risk management process is the most mature, you could start using SAP Risk Management to start aligning your risks with business value drivers. Or, if your auditors and audit reports are spread across the enterprise, centralize their efforts in SAP Audit Management to optimize your resources and win visibility of assurance.
If two of the three Lines are solid (like controls and risk management), you could preserve and grow business value by adding in the functionality of SAP Process Control and SAP Risk Management to share processes, risks and controls across the enterprise.
The key is not to give up until you have everything ready, whether you start with the most mature Line or start maturing all your Lines at once.
8.GRC is expensive.
If you’re evaluating the investment of money to acquire a GRC solution versus the cost of doing manual activities, then you will probably identify it as being expensive.
But be careful with this evaluation—because it fails to take into account the benefits provided by an automated solution:
- Increase scope and coverage for risk mitigation activities to safeguard the company
- Reduce the cost and time of early detecting cash leakage, frauds or anomalies to avoid financial losses.
- Reduce ongoing risk and compliance cost for the demonstration of compliance
- Improve team effectiveness and efficiency.
Having contemplated all that, do you think that changes the cost/benefit analysis??
By the way, it’s important to mention that now, there are many flexible deployment options to reduce time and cost to implement GRC in your company. Please, ask you SAP contact to provide you with the latest information about SAP Analytics Cloud.
9.GRC is a nice-to-have, not a must-have, solution.
We have never faced so many risks in the past as we do at this moment. We face financial, operational, reputational, technology, compliance, environmental, human capital, and governmental risks. Translating this, we face more complicated frauds, cash leakage, anti-money laundering, data protection, cybersecurity attacks, modern slavery, social media, new governments, and so on…
Companies need visibility like never before—to know what they’re facing, so they can avoid or mitigate the impact or the probability that something undesirable will occur. A modern GRC strategy isn’t just desirable—it’s necessary.
10.We don’t need a GRC Solution.
It is difficult to argue against this way of thinking because sometimes, it’s due more to a cultural attitude than a pure business decision. Sometimes people or companies aren’t proactive—they just react until something happens to them and/or they suffer a major impact to achieve something. Then they realize the importance of having a risk mitigation strategy.
So, if you’re a supporter of a GRC solution and your company doesn’t see the importance of proper risk management, keep pushing!! Raise the importance of the topic and prepare the company for the next level.
Companies are facing too much uncertainty these days to leave their risk management to chance—or to operate under these 10 myths (and misunderstandings) about GRC solutions .
Taking steps towards a governance, risk, controls, and compliance digital transformation will ensure you’re armed with the right information to face GRC challenges however and whenever they come.
Please continue to read all of the blogs in our GRC Tuesdays series