Proven Techniques for Enhancing Performance & Lowering the Cost of Your GRC Programs
Governance, Risk, and Compliance (GRC) are measurable capabilities that organizations utilize to achieve objectives cost-effectively. Unfortunately, too often, people define GRC solely as a technology solution, and they never realize how to enable greater performance and cost-saving in the organization. Regardless if we are talking about Financial, Operational, or Security Risk & Compliance, the transformation effort intended to enhance performance and lower risk and compliance cost must be focused on the capability and maturity level of the four enablers of effective GRC, which are People, Processes, Technology, and Data. Each of these enablers works together like separate links in a chain, but the weakest link will determine the organization’s GRC capability and maturity level.
Understanding Your Current Capability & Maturity LevelEvery effective Strategy & Transformation effort starts by understanding the organization’s current strengths, weaknesses, opportunities, and threats relevant to Financial, Operational, Security, etc. to document the current capability and maturity levels, which becomes the baseline to improve upon. There are too many Capability & Maturity Models (CMM) to discuss in this short article. However, it is important to note that there are specific capability and maturity models for assessing the capability of people, processes, technology, data governance, software development, risk management, project management, performance analytics, etc. Chose those relevant to your needs. The results of this initial CMM assessments give you the ability to identify problems and deficiencies that need to be resolved to enable greater efficiency, effectiveness, and cost savings.
Transforming Your Current Capability & Maturity Level
These problems and the deficiencies are addressed by resolutions in an executable Risk & Compliance Transformation Plan, which is utilized to gradually implement the improvement.
During the execution of the Risk & Compliance Transformation Plan, you should utilize an effective organizations change management methodology to implement and guide the organization through the transformation. One of the biggest risks during a Risk & Compliance Transformation is not the implementation of new Risk & Compliance technology solutions. It is the culture of the organization, and its ability to accept the amount and pace of change from the project.
Proven Techniques to Enhance Risk & Compliance Performance and Reduce Cost
When executing your Risk & Compliance Transformation Plan, you will likely conduct an assessment of your existing internal controls intended to manage your risk and compliance requirements. Below are some specific techniques to take into consideration that have proven to enhance performance and lower cost.
- Risk & Compliance Data Consolidation – Too often Risk & Compliance programs are performed in many solos across the organization, risk terminology, and analysis techniques are not standardized, and usually, those organization do not have the ability to see the holistic view of all risk and compliance objectives, enterprise risk exposure, or the mitigation controls being utilized.
- Control Optimization – This approach focuses on evaluating the design and operating effectiveness of your internal controls to eliminate redundant and ineffective controls, and transition to more preventive and automated controls. Often organizations that have gone through a major risk or compliance effort for the first time like the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act, Federal Information Security Management Act, Payment Card Industry Data Security Standard, or the Gramm Leach Bliley Act find they have an excessive number of internal controls assigned to each risk.
- Common Control Framework – Common Control Framework is a set of controls or requirements designed to eliminate or mitigate the duplication of multiple frameworks.To create a common controls framework, organizations should determine which regulations they are subject to and the cost of noncompliance, whether or not regulators expect strict compliance, and the organization’s readiness.Establishing a common control framework has the potential to eliminate the duplication of requirements within frameworks and simplify the process of scoping, defining, and maintaining compliance. As a result, organizations have the potential to save significant time and resources, since they are not forced to perform duplicate control assessments. It gives organizations the power to test once and comply with many risk and compliance regulations simultaneously.
- Automation – GRC technology solutions offer great opportunities to automate processes that were once performed manually, automate the actual control assessment, automate workflow, automate notifications, and automate questionnaires. More organizations are turning to Robotic Process Automation because of its ability to reduce staffing costs and human error, tedious tasks, and freeing workers to focus on higher-value work. But RPA requires proper design, planning and governance if it’s to bolster the business.
- Performance Analytics – Data provides the organization with the ability to make decisions. However, “Performance measurement is failing organizations worldwide. Measures are often a random collection prepared with little expertise, and signifying nothing. Many companies are working with the wrong measures, many of which are incorrectly termed key performance indicators (KPIs). KPIs should be measures that link daily activities to the organization’s critical success factors and empower the organization to make effective decisions, and drive cost savings.” (Parmenter, 2016, p. 327) Top reasons why performance measurement is failing organizations worldwide:
- KPIs are often prepared with little expertise, and signifying nothing.
- Many companies are working with the wrong measures, which are incorrectly termed key performance indicators (KPIs).
- KPIs are not linked to the organization’s critical success factors.
- KPIs are not effectively measuring performance, cost, quality, risk, and compliance to enhance performance and lower operating costs.
- Organizations are trying to monitor too many KPIs.
Parmenter, D. (2015). Key Performance Indicators: Developing, Implementing, And Using Winning KPIs (Third;3; ed.). Hoboken, New Jersey: John Wiley & Sons.