As the risk landscape continues to evolve, the importance of governance, risk and compliance (GRC) data to organizations’ risk management strategies grows.
The pace of change in risk — in both the number and type of risks organizations face — has elevated risk management to a board-level concern. Risks coming out of left field have the potential to derail businesses. You need to be proactive in keeping track of the threats you face and your effectiveness in mitigating them.
This demands a comprehensive and methodical approach to data — something that many companies aspire to, but few fully achieve.
Here, we outline a data-driven GRC methodology that will give boards a robust framework for managing, using and acting on the GRC data within their business.
What Is Data-Driven GRC?
The term “data-driven GRC” has become part of business jargon, but what do we mean by it?
Data-driven GRC describes an integrated approach to risk that consolidates functional and technological methodologies — and as a result, enhances organizations’ ability to tackle the risks they face.
Who Are the Stakeholders in GRC Processes and Technology?
The Institute of Internal Auditors‘ “Three Lines of Defense in Effective Risk Management and Control” defines three role-and-responsibility led functions:
- Those who own and manage risks (management; the “first line”)
- Those who oversee risks (risk, compliance, financial controls, IT; the “second line”)
- Those functions that provide independent assurance over risks (internal audit; the “third line”)
Acting as an umbrella across all these functions is the board, setting corporate strategy, prioritizing the corporate risk focus and determining the direction of travel when it comes to risk management.
Why Technology Shortcomings Are Undermining the Three Lines of Defense
The advent of Sarbanes-Oxley accelerated organizational take-up of technology as a means of managing risk. But even nearly 15 years later, technology is typically used far more on a departmental or point solution basis than in a holistic way across the organization.
This lack of unity and consistency regarding GRC data capture and analysis impacts an organization’s ability to detect and respond to risks. How does this negatively impact each of the “three lines of defense” and, significantly, the business’s overall risk effectiveness?
For the third line of defense — the internal audit function — recent years have seen a shift from cyclical auditing and testing to ongoing oversight and review of risk processes and controls. Their role has evolved from auditor to risk business partner, providing guidance on GRC data and process best practices.
This hasn’t, though, been matched by improved use of technology. Auditors identified the need for more effective use of technology as one of the industry’s enduring issues. While internal auditors have been known to act as champions for new risk technologies, adoption is inconsistent; 83% of auditors surveyed felt that their business was slow to adopt the technologies available.
For those in the second line, in other risk and compliance roles, specialized software is occasionally used. However, many teams rely on basic office software to keep information relating to risks and controls.
Different teams and business streams often use different solutions, resulting in challenges in comparing and reconciling GRC data across the organization. In many instances, the software used may be sufficient for a high-level overview but cannot interrogate this data to drive actionable insights.
This shortcoming extends up to the first line of defense, management. In some organizations, specific technology has been introduced to deal with particular risk pain points. Still, on the whole, companies tend to rely on core business systems for their risk controls.
These complex ERP systems can be comprehensive, but somewhat ironically, this comprehensiveness can be their Achilles Heel when it comes to usable GRC data. Certain control settings are often disabled to improve the system’s efficiency, reducing its value as a risk control mechanism.
Moving Toward a Data-Driven GRC Approach
So we have identified how and why board’s attempts to master risk are hindered by their current GRC data approaches. What needs to change for success?
A data-driven approach to GRC doesn’t just make risk more relevant to the strategic corporate agenda — it maximizes the value of your efforts by making GRC data actionable from a board perspective.
Defining a GRC Methodology
A clear and simple GRC methodology is the key here. Businesses need to put in place a basic process for defining risks, identifying controls, testing and tackling resulting issues — in a way that connects directly to the broader organizational risk agenda.
In practice, this means:
- Identifying corporate risks at a strategic level
- Assessing them for their potential impact
- Developing coordinated risk mitigation plans that span different functional areas
- Defining specific key objectives for the activity to isolate any risks to progress at a granular level
Evaluating Your Risk Management Controls
Implementing this methodology is the first stage — but many firms stumble at step two. Testing and evaluating your risk controls is vital, especially in today’s world, where the speed of change means previously unknown risks can sneak up on you.
The key? Leveraging next-generation testing methods.
What do we mean by this? Essentially, it means applying technology to your risk controls and testing. Traditional, manual ways of auditing and evaluating governance, risk and compliance effectiveness and capturing GRC data are proven ineffective and unreliable.
Next-generation testing analyzes the systems and sources of risk data, using methods including transactional data analytics and activity monitoring tools. Using better data and carrying out better tests on it significantly raises your game when it comes to GRC.
Integrating GRC & Data Analysis Methodology
This is step three in the process and involves:
- Standardizing your approach to testing
- Integrating your next-generation testing with your GRC processes
- Sharing results from testing via dashboards and visual reporting that connects the findings to your strategic aims
Continuous Monitoring Drives Real-Time Insight
Speed and relevance are the watchwords here: The fast-moving landscape means that ad hoc or infrequent reporting won’t cut it. Testing has to be automated and ongoing. The technologies that underpin GRC data make it possible for auditing to be continuous, enabling threats to be flagged in real-time.
Even better, by “layering” the insight and automation available through GRC technology, visual results can be connected to exception investigations and automated control scheduling — giving the board sight of a GRC architecture that rolls the tactical up to the strategic.
As a result, all stakeholders have a clear view of performance and the actions that need to result.
GRC and Continuous Monitoring = Data-Driven GRC
The final step in this process is the most important: how the organization links the outcomes of its continuous monitoring with the overall risk context.
By enabling the volume, value and trends in identified issues to be automatically fed back into each process and enabling this to drive strategic assessment of risk, organizations join the dots between data and strategy.
This is the real power of GRC data and a data-driven GRC methodology. Harnessing comprehensive and accurate data on the severity and likelihood of potential risks, and combining this with strategic oversight, enables the board and executive team to take real-time, data-led decisions on risk as never before.
The Vital Role of Technology in Data-Driven GRC
Crucial to this is a technology platform that can support the collection and management of robust GRC data and integrate with the organization’s other systems for a comprehensive view.
This platform needs to deliver:
- Integrated risk assessment — taking on board all departments’ areas of focus and assessing it through a strategic lens
- Project and controls management — mapping actions against identified priorities for mitigation
- Risk and control analytics — where your data is gathered and optimized for analysis
- Knowledge content — the insight that underpins your data, capturing specific high-level risks, extracting core data from particular systems and identifying outlying data sets
Optimize Technology to Support Your Data-Driven GRC
It’s clear that taking a systematic and meticulous approach to GRC data is vital for any organization that wishes to master risk management at a strategic level.
Equally clear is the role technology plays here. GRC technology provides the foundation for a robust and data-led approach to risk, removing the risk of human error and enabling you to take a continuous approach to risk monitoring, analysis and refinement.
Technology enables you to optimize your approach to risk management across all three lines of defense, integrating and standardizing risk data across your organization and making it visual, relevant and actionable.
You can read more about using technology to leverage GRC data drive a data-driven GRC approach in the Diligent and Galvanize white paper, Mastering Risk With Data-Driven GRC.