Top 10 GRC mistakes — and how to avoid them

Governance, risk and compliance (GRC) — the very words cause groans among employees and leadership alike. They conjure thoughts of expansive spreadsheets and endless meetings where acronyms like KRIs and KPIs are bandied about. Quite often, GRC exercises are seen as a waste of time or the purview of the CFO and internal audit.

But this is not the case. With regulatory obligations and penalties for non-compliance increasing, CIOs and IT leadership must push for effective risk management, compliance and governance within their organizations. These efforts involve areas are separate from IT (for example, legal and finance) but are nonetheless critical for a GRC program’s effectiveness.

The days of separate or non-existent GRC programs are over. IT and business GRC must be incorporated into a whole. To do otherwise adds tremendous risk and needless uncertainty. Between unforgiving regulatory environments at home (HIPAA, PCI, FERPA) and abroad (GDPR), customer data privacy expectations, as-a-service platform risks, cybersecurity threats and the ever-changing global marketplace, an established and effective GRC program is a primary means of not only demonstrating operational due care, but also reducing costs, increasing profitability and avoiding running afoul of regulatory regimes across international markets.

“The top two GRC shortcomings I see are organizations not being aligned on their strategy and placing a much stronger focus on compliance versus effective risk management,” says David McKeough, vice president of CrowdStrike.

An organization with the appropriate GRC components in place is one with an overall strategic plan that guides executive decision making. Projects and initiatives are weighted and evaluated based on business-driven goals, risks are managed and measurable, and compliance burdens are known and communicated.

Following are 10 common pitfalls of organizations that struggle to create effective governance, risk management and compliance strategies.

Organizational immaturity

Organization immaturity has stifled many GRC programs. When your organization lacks even the basics of program, project, asset or change management, you will not know what assets you have (hardware, software, and data), making it extraordinarily difficult to stand up an effective GRC program.

Does this sound familiar? At the quarterly leadership briefing, you hear about several new acquisitions that require extensive infrastructure and system integration effort. Oh, and by the way, the money for this is coming directly out of the IT department budget.

Or, more commonly, IT resources lurch from one fire to another, always in a reactive posture. Project work is done on the side as IT leadership scrambles to cover the latest “critical” project that just swept aside yesterday’s must-have initiative.

Data practices are another area where organizational immaturity can rear its head. Yes, you may recognize that data has become one of, if not the most, valuable asset your company has, but if you don’t know where your critical data lies, then how do you secure it?

“When companies have little idea what data they have, do not know where it is and do not know what their knowledge workers do with it, this is a fundamental problem,” says Peter Aiken, founding director and owner of Data Blueprint.

Recommendation: To build organizational maturity the corporate culture must support it. Key executives must support accountability and transparency in their departments. Those stakeholders, managers and staff who do not accept this change must be held accountable to the new reality.

Technology and business silos

IT and the business must be aligned for GRC to work effectively. Unfortunately for many organizations, this is not the case, as critical software or infrastructure implementations fall out of the blue, but suddenly have to be done right now. Or planned budgets and resource allocations are completely blown. Or the business never seems to communicate with IT.

When corporate leadership introduces new goals that IT has to implement hastily, there is little room for operational risk discussions between the business, IT and compliance departments.

Recommendation: Establish committees and channels of communication to cover both executive and technology tracks with crossovers to ensure reliability.

Lack of cohesive standards, policies and procedures

Perhaps your critical IP is stored on consumer-grade cloud storage by various employees. Isn’t there a corporate policy that mentions it’s a no-no? You’d be surprised how often there isn’t. Or, the new organization you merged with still has no policies, or old ones, in place. Plus, more often than you might think, users have not been educated on enterprise policies and how it impacts their workflow. Not to mention the fact that policies often exist on multiple file shares and in SharePoint across the enterprise, making them extremely difficult to follow and thus hold people accountable. Any lack of centralization, clarification and accountability when it comes to GRC poses a significant risk.

Recommendation: Policies should be concise, centralized, communicated and easily accessible to all employees. The documents themselves must be simple, concise and readily understood. Enterprise staff needs to be trained on them as well.

No accepted definition of risk

What does risk mean to the enterprise? The definition can be surprisingly hard to nail down. Often, only financial risks or generic risks that have not been evaluated for applicability to the enterprise are reported to the board of directors. And if you have disparate risk scoring methodologies within your organization, that makes it all the more difficult to report risk accurately to the board.

Recommendation: Ensure that all business functions agree on their definition of risk. Also, there should be one risk management program that incorporates all risk (IT and business) reported up to the board of directors.

Reliance on silver bullet technology

There are many GRC tools available for the enterprise, from the simple spreadsheet to multi-million dollar corporate systems. However, if you don’t have a robust GRC framework in place, no technology can manage risk for you.

Recommendation: Resist the urge to invest in costly tools. Establish and normalize your GRC program first, then ascertain which tools fit your needs. Consider how you can use already implemented tools to meet your needs in your environment.

Regulatory confusion

Do you genuinely know what regulatory frameworks impact your enterprise? For example, your state and local privacy laws will take primacy over HIPAA guidelines in the event of a data breach if they are more stringent. What about Dodd-Frank? Are you covered by Sarbanes-Oxley, PCI-DSS, HIPAA, GDPR or a host of other regulations? All too often, organizations fail to understand the full regulatory environment in which they operate.

Recommendation: The regulatory process should be co-owned and documented by legal and compliance with clear lines of communication to IT and business.

Lack of ultimate accountability

The buck has to stop somewhere. So who owns the GRC? It starts with tone from the top. Executive leadership must own and support an effective GRC program. From there, GRC accountability cascades to places like application ownership, data ownership and the escalation paths that are required.

Recommendation: For a GRC initiative to flourish, executives must communicate their support.  This isn’t a one-time statement. GRC initiatives must be driven on a continuous basis from the executive suite with ultimate accountability held at the board level. The CFO’s office is a good starting point.

Complexity overload

A portfolio management tool here, a regulatory tool there, spreadsheets, and dashboards, soon you are swamped with conflicting information. Hours can be spent trying to normalize hundreds of GRC data points into one system. Time to simplify.

Recommendation: If your enterprise GRC program is overwhelmed with dashboards and tools, it’s time to simplify. Work closely with your GRC team to select the best tool(s) for the job and then work to reduce the system bloat. Let your business requirements drive your technology investments and get a roadmap done.

Lack of program and project investment management

It’s hard to have a GRC program when projects or programs get spun up without understanding the investment required. What initiative receives the green light? Do you know your maturity across functions?

Recommendation: Board engagement and initiative management are critical for the visibility required to obtain the funding to support your GRC efforts. This allows you to nail down the effective portfolio and investment management strategy.

No viable metrics for success

So how do you know if your GRC program is working as intended? Is it reducing risk, meeting compliance goals and hitting program initiatives? Enter key performance indicators (KPIs), key business questions (KBQs) and key risk indicators (KRIs).

Recommendation: Take the top five or ten business processes (KPIs or KBQs) using the SMART criteria — specific, measurable, attainable, relevant and time-bound. Ensure they are aligned with business value and have the critical decision makers identified. Assign measurable KRIs for these processes. Now monitor and track the quality of data programmatically.