If you’re considering automating your governance, risk, and compliance (GRC) program there are dozens of choices out there and choosing the one that’s best for your program can be challenging.
While many tools out there can document controls and test compliance, managing enterprise-wide governance, risk, and compliance is about much more. It’s about adding measurable business value and contributing to the achievement of strategic goals.
To help you separate tools that have simply jumped on the buzzword bandwagon from tools that will help you deliver business value, here’s a list of five must have features required to support your GRC or ERM program.
5 Capabilities that will add value to your GRC/ERM program
Is GRC and risk management tied to strategic goals? Senior management is concerned with where your organization is going. Without a connection between risk and strategic objectives, you’re executive team is unlikely to make risk or compliance initiatives a priority.
Does it directly link activities to business performance? While it’s good to be in compliance and have some risks covered, your risk and compliance program should be aligned with operational goals. This means using metrics and controls that can actionably improve business performance, not just meet requirements or checking off a box.
Does it drill down to the process level? Every day your front-line managers are making decisions about risk. Does this software give you transparency into these decisions and will your process-level managers be able to use it?
Is information shared across business silos? Meeting several compliance standards often requires the collection of similar data. Does this software allow information to be collected once and then be reused across silos and functions to prevent double-work?
Does it use SMART business metrics? S.M.A.R.T. business metrics are built at the process level, around root-causes, are comparable, and are forward looking to give you the most complete picture of your risk and compliance program.
Whether your risk management program flies under the banner of GRC or ERM you need tools that give you transparency into processes and shows relationships across your enterprise.
To learn more about these attributes, take the RIMS Risk Maturity Model Assessment today and see how your program compares to industry best-practices.
Comments
On the question of tools for Governance, there are many. For example, there are tools for:
Most of the time, solutions that address 'governance' functionalities are not integrated with solutions for other aspects of GRC. But there are exceptions. For example, SAP's solutions for strategy management, budgeting, risk management, continuous monitoring and controls management, and more are all integrated. You can manage strategies, identify risks to their achievement, and then monitor those risks. A management report that shows a strategy together with both its KPI and KRI is standard in the strategy management product.
Steve, let me use a simile to explain how I feel about the phrases "GRC tools" or "GRC platforms".
Accounts Payable is to Finance as Risk Management is to GRC.
In other words, GRC covers a broad array of processes, organizations, and systems. The OCEG Red Book includes a list of the more common processes that are part of GRC:
ERM is included as an essential part of GRC (the 'G').
Hello Norman. Please keep in mind this is just a short list of technology capabilities that can add value and is in no way a complete one. There is much more to both ERM and GRC, however many technologies out there are missing this link between front-line activities and strategic goals.
In your experience have you found ERM/GRC tools lack the capacity to manage governance?