Globe and brain

Perspectives

Why the benefits of GRC technology spend are slow to materialize

Gaining broader insight and quicker response to risk a high priority

A key to realizing the benefits of governance, risk, and compliance (GRC) technology spend is in the way an organization integrates the technology. Like the nervous system in the human body, a coherent enterprise governance, risk, and compliance (eGRC) platform must sense and adapt to new data formats and sources, account for evolving risks, and make coordinated use of all the technology that can help handle the load to produce meaningful and actionable insights.

Where are we now?

Boards of directors, risk and audit committees, and GRC leaders across industries are asking themselves if they have what it takes to keep up with exponential changes in the risk and regulatory landscape. For the last decade, overall GRC program development has progressed, but the benefits of GRC technology spend are slow to materialize.

With more to handle, risk functions that traditionally handled risk and control assurance centrally have pushed monitoring further into the business where risk is owned—which is to say, into the laps of people whose primary job is something else. The good news is the risk management activities are closest to the risk source in the business, which is seen by accepted GRC frameworks to be a positive move. However, business risk owners need help to ensure both efficiency and “payback” for their efforts of contributing useful risk-related data. Data that needs to be consumed by enterprise risk functions in order to monitor organizational risk and exposure that may impact overall strategic business objectives and risk appetite.

As the propagation of new, simpler, and seemingly more efficient surveillance level systems, models, and other monitoring utilities propagate in the businesses (along with the continued realm of workarounds, models, manual methods, and use of spreadsheets), it becomes more elusive for organizations to integrate the growing stream of structured and unstructured risk and performance data points into coherent eGRC platforms that generate quick, useful insights at the enterprise level. Specifically, there is a greater need to correlate risk-related data, determine root cause, and make smarter, quicker, and more efficient corrections.

Throwing technology at the problem is only a partial solution. If you think of GRC as a technology implementation, you’ve limited its power from the start. A key is in the way an organization integrates the technology. eGRC is an intelligence system.

Like the nervous system in the human body, it must sense and adapt to new data formats and sources, account for evolving risks, and make coordinated use of all the technology that can help handle the load to produce meaningful and actionable insights.

Back to top

The highway to an intelligent eGRC system

The GRC journey road has been a bumpy one for many organizations. The fast-paced development of risk types and data volume presents a challenge that’s hard for all but the most advanced GRC systems to keep up with. This is the time to not merely press harder on the accelerator, but to revisit the road map and take a broader view that converts the road into a highway using the latest technologies and makes them work together as an effective whole.

The good news is that the current generation of technologies, when paired with a strong eGRC tool on a properly architected enterprise data platform, can culminate disparate data points into harmonized themes to significantly accelerate the speed of insight across disparate data formats—or completing the nervous system referred to earlier and achieving impressive return on investment.

A returned focus on the early effort of enterprise and object data harmonization is important to reducing anomalies in core data structures and leveraging the taxonomy work started early in the journey, but in a more modernized structure.

Back to top

Highway

What you can do now to future-proof your GRC program

To keep pace with the changing environment and take advantage of what integration can offer, now is the time to modernize and transform GRC to begin to capture the real returns. If the original intent of an eGRC platform and applications was to create the capability to correlate disparate points of data into risk themes and to drive rationalized action quickly enough to mitigate the risk event or its impact, technology must now draw from an advanced toolkit to complete the mission to finally deliver exponential returns.

Organizations looking to on-ramp onto the GRC highway need to first understand their current GRC programs capabilities and their desired future state goals. With this information in hand, organizations can have a clear understanding of where their gaps are and what capabilities they’ll need to enhance. To get there, organizations need:

  • A deep understanding of the various technologies eGRC utilizes, from surveillance systems to eGRC systems of record and common processes
  • An enterprise-wide view of current underlying data structures and taxonomies, and harmonization goals
  • Awareness of the common pitfalls in organizations and strategies to help avoid traps including cultural/adoption challenges, limits in sponsorship and monetary, and timeline delays
  • A roadmap that details the steps from current state to future, desired state, and expected benefits to the organization

Starting with a thoughtful plan to design a sustainable enterprise risk data platform architecture capable of handling the pace, volume, and format of modern risk data tied to themes supported by business strategy is no doubt a powerful anchor point. Organizations can achieve some early wins.

The implementation of a single eGRC technology used to be the end-game. Now, it’s a key component of the combination of platforms, applications, and cognitive process that morph into intelligent GRC—the nervous system. When these attributes are effectively combined, organizations should start to see the returns that have so long been promised.

Back to top

Brain

Let's talk

Kristen L. Gantt
GRC leader
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 732 915 6106
kgantt@deloitte.com

 

Devin Amato
Principal
Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
+1 913 706 2491
damato@deloitte.com

computer, tablet, phone
Did you find this useful?