Your GRC function may be obsolete—or not. The truth is, you might not even know!
Heer Chheda
Nov 11, 2024As a leader, you might not realize that your function accumulates debt—not financial debt, but technical and procedural debt, which builds up quietly over time as systems age and processes go unchecked.
As your GRC function matures, minor inefficiencies can snowball into much larger issues. What was once cutting-edge is now outdated, creating friction that affects your ability to deliver value.
Knowing obsolescence
The Obsolescence Index (OI) has been used to understand where organizations stand—it offers a concept to reflect the maturity or inefficiency of the GRC function. It also synthesizes metrics like inherent risk levels, process efficiencies, and compliance effectiveness into a comprehensive score. But it’s often seen as a starting point, not the full answer. The OI gives you a cursory view of what may be lagging, but you’ll need to dig deeper to understand what’s broken.
Understand your
function’s obsolescence
Research shows that organizations relying on outdated GRC systems may lose up to 25% of their time on manual tasks. However, the issue extends beyond just time loss. The operational hurdles inherent in these manual processes can create significant inefficiencies, not to mention delays in decision-making that could tarnish the overall image of the GRC function.
As GRC leaders, getting the board to see value in the GRC function is somewhat of an uphill battle. Of course, they see GRC as non-negotiable—without it, the company faces catastrophic threats—but the feeling of constant firefighting security issues can lead them to question the value of the GRC function. This can cause the board to see the GRC function as a cost center.
The fight only gets tougher with time. Breaking cognitive dissonance, especially in this regard, can be particularly challenging. This also means that GRC leaders will, for the most part, be without a seat at the growth table, leading to undermined credibility and a restricted ability to influence the organization’s strategic direction.
Solving the dissonance through tech
Forward-thinking leaders have a clear grasp of the challenges technology can bring. In most cases, tech is an area that does not get ignored—leaders know how to address the shortcomings with tech.
But you know what gets tricky?
Knowing when to upgrade your tech
As tech starts to show its age, often around the three-year mark, the signs become harder to ignore. This is especially true for companies that are looking for rapid expansion. If your technology can’t keep up, it could cause serious inefficiencies and potential security risks.
One telling indicator of these challenges is a siloed approach within your organization. When teams operate independently, collaboration suffers, and technology only exacerbates the issue. Processes become convoluted and isolated, rendering them counterproductive over time.
Operational transparency is another indicator. When your existing tools lack the ability to provide clear visibility into workflows, it becomes challenging to optimize them and make more informed decisions.
Much like operational transparency, functional issues directly point to obsolescence. Frequently encountering problems such as slow response times, glitches, or software crashes indicates that your current system is struggling to keep pace.
Another problem companies face with their tech is striking the balance between specialized and generalist solutions. Each choice has consequences—choosing too many specialized solutions increases operational costs, not to mention dependencies on experts who understand the process as well as the solution. This could also lead to hiring challenges. On the other hand, choosing generalist solutions means a lack of depth and nuanced features, and companies opting for this option quickly find themselves back on the market.
The trick here really lies in gaining a clear understanding of what tech is meant to do. Tech leaders need to think deeply about which functions require depth, which need to be prioritized, and which absolutely need technological intervention. They also need to look at solutions that blend well together. This eliminates shadow IT completely and ensures that applications talk to each other and facilitate transparency, data sharing, and collaboration.
It’s essential to continuously assess the effectiveness of your technology. This involves more than just routine operational checks; it requires a thoughtful examination of how your tech stack enhances GRC processes and aligns with your broader organizational objectives.
As your technological environment continues to evolve, it’s crucial to stay ahead of potential risks; which involves continuously scanning for emerging threats and understanding new vulnerabilities.
Rethinking GRC
To rethink the GRC approach within your organization, it’s crucial to see it as a set of isolated components and a unified philosophy that drives performance across all facets of governance, risk, and compliance. It essentially creates systems that weave integrity directly into the fabric of your organization’s philosophy.
- Fostering a strong culture: Great performance is more than a goal—it’s a mindset that must resonate throughout your organization. It begins with your leadership, which sets the standard for integrity, transparency, and accountability.
- Aligning GRC functions: Companies must ensure the integration of governance, risk, and compliance functions so they drive all business operations, not as an afterthought but as a cornerstone of strategy.
- Execution: Build systems that are capable of not only preventing and correcting undesirable conduct but also proactive in recognizing and rewarding behaviors that align with your organization’s overarching objectives.
- Continuous improvement: Organizations must regularly evaluate how well their strategies and actions align with objectives. The continuous cycle of evaluation, adaptation, and improvement helps your organization stay agile and responsive to the complexities and uncertainties of the VUCA environment—Volatility, Uncertainty, Complexity, and Ambiguity.
The performance of your GRC function should be more than the sum of its parts; it should be a dynamic, interconnected organism that not only protects but also propels the organization forward.
Recognizing humans as assets
While technology can create automated safeguards, people drive the culture and processes that uphold those safeguards. Yet, paradoxically, people also pose the greatest risk to the organization. After all, human error, negligence, or misunderstanding of roles and responsibilities are often at the core of security failures.
It’s important to acknowledge that humans are inherently a source of risk—not always because of malice but because human nature is fallible. To truly address human risks, it’s crucial to measure and understand them. Quantifying these risks is essential—tracking performance and vulnerabilities not only gives insight into potential issues but also allows you to gauge the effectiveness of any interventions.
Quantify
Human Risks.
According to a study by the Ponemon Institute, organizations with unclear roles often experience higher rates of security incidents due to human error.
Training and periodical checks are essential here—people need to perform their roles and also internalize why their actions matter in the broader context. Just as systems and software undergo rigorous testing, so should your human-centered processes. Regular testing and drills—whether it is responding to a security breach, handling a compliance audit, or managing a risk event—are crucial to ensuring that people can act confidently and competently under pressure.
As your organization grows and evolves, so does your culture—and with it, new risks and challenges emerge. This is why your GRC function needs to complement your organizational culture and adapt alongside it.
Your organization’s culture is the driver of behavior—and by extension, the driver of security, risk management, and compliance. The people who make up your workforce are continuously shaped by the organization’s culture, which means that a security-first mentality requires you to nurture a culture that supports it.
Should you be adding value or preserving value?
OCEG’s GRC capability model emphasizes the critical need to strike a balance between creating value and safeguarding that value. This dual focus ensures that organizations not only pursue new opportunities but also protect their assets and reputation effectively.
The interplay between value addition and value preservation highlights a crucial balance, often viewed as the offensive and defensive strategies in business. Value creation focuses on growth, expansion, and pursuing new opportunities, while value preservation safeguards gains, ensuring stability and continuity.
From a board’s perspective, value creation often dominates ROI discussions, while preservation is overlooked. The distinction is clear: creation seizes opportunities, acting as an ‘offensive’ strategy, while preservation protects momentum, serving as the ‘defensive’ counterpart.
Think of it like maintaining momentum in a marathon, where preserving energy between sprints is just as important as the sprints themselves.
While technology acts as a catalyst for efficiency and growth, the human element—which is rooted in communication, collaboration, and shared vision—ensures that these advancements lead to sustainable success.
Understanding the dynamic between value creation and value preservation sets the stage for embracing a philosophy of continuous improvement. This philosophy doesn’t merely seek to balance these two elements; it aims to position them in a way that ensures they complement each other.
Crafting the winning argument
When your Governance, Risk, and Compliance (GRC) function operates smoothly and effectively, it creates a compelling narrative of value and performance that resonates with leadership.
The tangible outcomes of a well-run GRC program form an unspoken argument that advocates for its importance. Breaking cognitive dissonance becomes easy if you’re able to consistently demonstrate your function’s impact through valued performance. And that’s how you win arguments in the boardroom without having to say a word.