- Governance, Risk & Compliance
- Business Solutions
Eric de Vos from ReadiNow recently sat down with Michael Rasmussen from GRC20/20 to discuss the future of governance, risk and compliance. Like most industries, there is a lot of change so we asked Michael for his perspective on how companies can keep up with the rapid pace of change.
We recorded the interview here for you to watch and have also summarised it in this blog article.
Michael is a renown pundit and an experienced senior analyst in the space. Before establishing his own firm, he was at Forrester specialising in governance, risk and compliance.
Governance, risk management and compliance (aka GRC) is a challenging topic in organizations. From my perspective, every organization's doing GRC today, whether they call it GRC, IRM, ERM, ABC, XYZ, or don't even have a name for it. Every organization has some approach to governance, risk management and compliance.
The question is, are there ways to improve it? Is it siloed or fragmented or ad hoc firefighting, encumbered by documents, spreadsheets and emails? Or is it more mature with an integrated architecture?
When approaching GRC, it's important to look at how technology can be leveraged across the organization. Because there's very similar needs across departments. For example, most departments have
So, what ends up happening is all these silos are created where the organization is managing these things in different ways. To keep up with change, organizations must think about how to design a common risk management architecture across the organization. Click to Tweet
Agile, common architecture and removing silos all sounds terrific, in theory, but how would an organization go about that?
It's important for an organization to understand and document the current state. How are they approaching areas of governance, risk management and compliance today? What departments are doing what? What technology is used? And then look at where do they want to be in a couple of years, and how are they going to get there?
It’s important that they look for technology that can make them more efficient, effective, and agile. Where can they save time, money or be more accurate, complete or thorough?
They have regulatory change and legal change. Changes in the risk environment. Changes in the internal business environment. And keeping all that change in sync is what becomes very challenging in the organization.
Considering the amount of change mentioned, how would an organization choose technology?
It gets back to what I was talking about, where they need to understand not only the current state, but what the vision is for three or five years from now. It's important to understand what technology is going to get them to that end state that they’re aiming for.
Too many times I find that organizations choose the technology first and that defines what their end state is going to be. And then as they mature they find out that's the wrong end state. They bought what the technology does, not thinking what does the organization want to do? What would be the right way for the organization to do it?
Organizations don't want to pick the wrong technology and realise, two or three years into the journey, that they have to replace it and start all over again.
When choosing technology, it's important to understand total cost of ownership. Not just the implementation costs, but also the ongoing development and maintenance costs. This all plays in this whole idea of agile GRC. There are a lot of point solutions that are very costly to implement, and also costly to own and maintain.
Some solutions that are considered leaders in this space, I find that for every dollar you spend on software license, you're spending $4 to $5 in implementation. That's significant. So, if I'm spending, let's just throw a number out there, $500,000 on software license for a large and global enterprise for GRC software, I could be spending two and a half million dollars on the implementation of that.
Plus, there's ongoing costs as well. Part of that because there's a lot of custom coding and build out needed. That contributes a lot to that. So, it's important to find solutions that are highly configurable and don’t need a lot of specific customization. Technology that you can easily configure for your organization, where the costs of implementation are pretty much on par with the software costs.
So, every dollar I spend on a software license, are between 50 cents to a $1.50 on an implementation instead of four to five times.
What other elements are needed from technology platforms to make them really agile and be future proof?
Besides configurability, the other piece, and they all tie together, is usability. How easy is it for everyone to use that solution? Let's take the three lines of defense model.
From the third line of defense, the audit and assurance function. The second line of defense, is the risk and compliance managers doing their detailed risk and compliance control work every day, day in and day out.
But then how can the solution be used for the front line of defense? The first line of defense that is often discussed is operational management, but I say it goes all the way down to the frontline employees, not just management. It's the doctor and nurse at a hospital, the insurance agent out there in the field, the teller at the bank, all those other roles.
Each of them, they have to read policies and attest to policies. They have to report issues and incidents and things. So how can we make it easy to use and relevant to the frontline users, as well as the back-office users?
At the end of the day we need to do for GRC what Salesforce.com has done for CRM. Before we had CRM systems, we still managed client relationships. But everything was in these silos and nobody saw the big picture of the client relationship.
Sales had their view. Marketing and their view. The call center, service support had their view. CRM systems came in and said, "Let's create a holistic 360-degree view of the entire client relationship, sales, marketing, call center service and support. So that we could have one central source of knowledge of the customer."
That's what we need for GRC, is to be able to provide that central repository of all our risk and compliance and control policy type interactions. Then risk management can share audit, internal control functions, but also the front line and management can access it as well. Click to Tweet
At ReadiNow adaptable, agile and configurable are core values of the platform. Michael has interviewed ReadiNow clients and has found they can future-proof their risk requirements through an integrated solution that’s accessible across the organization.
Learn how Australia's biggest bank improved business resilience maturity.