A quick look at GRC
With organizations across various industries having to cough up massive fines for non-compliance, some are left to wonder whether the current Governance, Risk, and Compliance (GRC) approaches simply don’t work.
Organizations are looking for a robust GRC program that will enable them to manage compliance with regulations and internal policies, improve information security practices and streamline audits and remediation activities.
As regulations continue to mount, there is a constant barrage of new guidelines to adhere to and new initiatives being pushed forth in order to mitigate risk. Needless to say, risk and compliance groups are finding it daunting to keep up. There is also the challenge of growing cyber security threats, further compounding the problem with GRC.
While there are a plethora of problems organizations face with current GRC processes and tools, we will highlight 5 top challenges, that we’ve witnessed across multiple industries and organizations:
Challenge 1: A unified vision is misleading to an organization-wide culture of non-compliance
Organizations across the board typically function in silos. Every department or business unit has its own data, technology, processes, stakeholders, and its own compliance requirements to meet. Too many silos, with their lack of integration, render risk and compliance processes ineffective. These processes are not workflow driven and do not provide integrated reporting or transparency.
As technology continues to evolve, business units across the organization purchase tools and invest in technology that have been developed to address specific challenges or meet specific business objectives. While this investment has certainly resulted in improved efficiencies, it has also further compounded the problem of silos that exist within organizations. Subsequently, these tools gather tremendous amount of data that can help enterprises make intelligent business decisions; however, this data is not aligned to relevant business information.
Challenge 2: Lack of a comprehensive GRC framework
Businesses that are running fast and successfully have been able to do so because they’ve taken the time to develop a flexible and comprehensive GRC framework. As business opportunities evolve, so do regulations.
When business units seem solid on the surface, but not adequately integrated, it further complicates the process of developing a well-crafted, comprehensive GRC framework. While it is true that every department or business unit has its own goals to achieve and needs to address, there also needs to be a close alignment between these processes and the overall organizational goals.
It is also important to define a strategy that brings all of this relevant, insightful data together, and prioritizes critical tasks and high-impact audit activities, in order to enable enterprises to make well-informed risk management decisions and mitigate exposure to incidents that cause loss or risk.
Challenge 3: Addressing demands from governments and regulatory organizations
One thing is certain, risk and compliance mandates are here to stay, even as government regulators seek to exert control upon organizational practices through stricter compliance requirements.
While most organizations have a risk and compliance group to address this ongoing demand, it is important to note that compliance, is in fact, an organization wide responsibility. Even if one department or business does not comply with requisite standards, it will affect the entire organization. It is therefore, essential to embed compliance into every business unit and the culture across the organization. This means specific policies and processes have to be set in place to address compliance consistently across the organization.
Efforts should be made to keep a steady link to GRC so new regulations can be immediately integrated across all business processes. A flexible GRC framework also helps you to be better prepared to meet the requirements on changing regulations.
Challenge 4: Too many manual processes continue to persist
Current GRC processes and tools have forced analysts to look to manual processes and disparate tools, to find insights; an inefficiency which has rendered enterprises unable to meet compliance mandates. There are a variety of complex business processes supporting business operations that are closely linked to multiple IT systems, some of which may still be manual.
Risk and compliance groups are bogged down by the usage of archaic processes, with GRC documentation distributed across spreadsheets, emails, phone calls, and various other tools. This has obviously amplified the risk of lack of accountability and follow through, and subsequently a lack of visibility to ongoing GRC management.
It is alarming to realize that the organization is not aware who is reviewing what, and what actions are being taken, and there is no audit trail which may subsequently even lead to fabrications or deception. Manual GRC processes do not provide any kind of intelligence. Analyzing, reporting and making sense of large sets of data collected from manual processes, in order to derive relevant insights, not only requires time, but is prone to error.
Challenge 5: Lack of alignment between the culture of the organization and GRC
The culture of governance will have to start from top level executives. They will have to initiate a transformation within the corporate culture to take risk and compliance management seriously. This will require an organization wide initiative to educate, embrace change and obtain buy-in from all stakeholders involved. There should be ample information disseminated across the organization in order to achieve buy-in at all levels. While working towards developing a robust and flexible GRC strategy is crucial, it is even more crucial to ensure that it is being implemented at all levels. While businesses may not cause a drastic shift in mindsets overnight, setting the right processes in motion, will be critical in changing the status quo.
As organizations are increasingly looking to implement GRC strategies to drive accountability, security, efficiency, and visibility across the organization, we also understand that getting started with GRC can be challenging.
How businesses can address these challenges?
Here are a few suggestions for business leaders on how to ensure an effective enterprise wide GRC journey to manage uncertainty:
Adopt a proactive approach in monitoring critical controlsWhile a tremendous amount of time is spent on managing risk requirements, there is a glaring lack of focus ensuring that critical controls are being monitored carefully, which will help enterprises be adequately prepared to address new, high-impact risks.
Plan change managementComplying with a rapidly increasing set of regulations can seem overwhelming, therefore it is vital that you embed GRC into your corporate culture. Change management is essential to ensuring success with aligning corporate culture to governance, compliance and risk management. And this has to start with the top management.
Prime your organization before looking into software solutionsBefore you start shopping for software solutions, it is vital that you assess and monitor your organization’s current risks. Evaluate if there are sufficient controls in place, how they are working, and if you need to add or modify any, based on your analysis. You will then have to create the GRC framework. The focus should not just be on IT, but on the people and processes involved as well.
Find the right integrationsConsider implementing integrations that can help increase the efficacy of your GRC programs. These will enable you to manage risk more proactively, through automation, and by bringing data together from multiple silo tools and stakeholders into one location.
Find the right partnerConsider partnering with a vendor that can provide effective assessment and recommendations for GRC challenges and help streamline compliance, risk, audit, vendor risk. Be sure that they can convert evidence collection and remediation tasks into structured response engines that uses intelligent workflows, automation and IT connections.
How ServiceNow GRC can help you address these challenges:
Several businesses are leveraging ServiceNow GRC to manage governance and risk framework, monitor compliance, obtain reliable, real-time insights and facilitate efficiency and transparency. ServiceNow GRC is designed to meet the following objectives:
- A single platform that enables migration from multiple tools to a single platform
- Single repository for all governance, risk and compliance information
- Automation of evidence collection and remediation
- Ability to track all control & remediation activities
Here are specific use cases of ServiceNow GRC that help you address these challenges:
Use Case 1: Compliance Management
ServiceNow integrates with Unified Compliance Framework (UCF) and acts as a central repository for all your authority documents, whether they are regulations like SOX or PCI, industry frameworks like COBIT, or internal policies, standards and standard operating procedures.
Use Case 2: IT Risk Management
ServiceNow’s Risk Management application assists in the continuous monitoring of risks that can negatively impact business operations; and it provides structured workflows for the management of risk assessments, risk indicators, and risk issues. ServiceNow’s Risk Management application provides ways to organize categories of risks to normalize risk scores across the organization, consistently assess risks using a best practice workflows, and report on financial and statistical impacts of risk to the organization.
Use Case 3: Audit Management
ServiceNow GRC application can be used by internal audit teams to document and track phases of the audit cycle: audit planning, audit risk assessment, audit project management, time management, issue tracking, audit work paper management, audit evidence management, and reporting.
Use Case 4: Vendor Risk Management
ServiceNow GRC can also be used for management, measurement, and reporting against vendor and third party related risk. Leveraging the Vendor and GRC applications, a Vendor Risk Assessment process can be configured using assessments and workflows. The responses to the assessments can be validated and scored.
Use Case 5: Business continuity planning / disaster recovery
ServiceNow can automate most aspects of ongoing Business Continuity Planning & Disaster Recovery (BCP/DR), because it is a natural extension of both Service Management and Governance, Risk, and Compliance.
As a ServiceNow Gold Services Partner, we have proven success implementing ServiceNow GRC through our work at multiple large organizations. INRY partners with clients to develop a multi-phased approach allowing clients the ability to quickly recover value while building experience to further determine business needs. If you are looking to get started, or just learn more, we’re happy to talk.