For the last few decades, GRC software vendors have been dictating the business applications we need to buy to deliver a business outcome. The vendors have set the boundaries of those applications (features, functionality, and workflow) within the context of categories molded by the analyst community (you buy this application for compliance management, this application for third party risk management, this application for data privacy, etc.). However, the reality is that we probably only use 20% of the total application and, worse than that, may have to buy other adjacent applications, each delivering 20% value, to reach the end game. 

Add to that the need to operate the applications effectively – how do I get 100% business benefit out of the 20% value I have invested in from my applications? Organizations don’t always have the necessary expertise to do this, for example, running a ‘best practice’ cyber risk steering committee, identifying risks relevant to an industry, or performing a thorough audit of a third party. Consulting companies, such as the Big 4, can provide this ‘know-how,’ and they understand the language of business outcomes. However, because they don’t write the software, the services they offer are not truly integrated with the applications. Their vision for delivering business outcomes is ultimately unachievable; GRC applications do not cater to the target setting and measurement necessary to show whether the outcomes are delivered.   

This fracture in the model in which software vendors and consultancies operate can lead to less than optimum outcomes for buyers – often in the form of ill-advised solution procurement, incompatible software implementation, and – ultimately – the failure of your GRC program. 

This isn’t hypothetical, either; it’s already happening with reports of failed GRC programs being discussed by swathes of commentators online. 

But what phenomenon has led to this fractured model, and what can be done to fix these inherent problems? 

The first step in solving any problem? Admitting that there is one.

GRC is broken. 

Shining a Light in the GRC Darkness 

If we look at the stated outcome again and the process the mind goes through, the primary starting point is the capabilities needed to deliver the outcome – not what software or consulting firm.  

To reference the self-titled inventors of GRC, OCEG: 

GRC is the integrated collection of capabilities that enable an organization to reliably achieve objectives, address uncertainty, and act with integrity. 

But the market is missing an offering that delivers capabilities and is conditioned to jump to the software or services decision point. Instead of asking for the capabilities we need, we are forced to articulate what we want in the same language it’s presented, i.e., “I want my software to do X”, and “I’d like you as a consultant to do Y”.  

Take this common interaction as an example: 

If you were to procure the services of a GRC consultancy, the verbiage you encounter would likely center around business value and outcomes; it talks to the WHY of GRC. Conversely, when you engage a software vendor, you enter a dialogue that discusses applications, functions, and features. The conversation is focused on the technology, its specifications; the WHAT of GRC. 

But when it comes to the HOW – the values and principles that guide your actions and decisions on a day-to-day basis, who is responsible? Who has both an intimate understanding of the software and domain expertise? Who is accountable for delivering on the actual capabilities needed? 

Here’s the rub: it’s nobody. 

So, what can be done? 

The New Approach to GRC: Capability-Driven

Whereas our current dilemma sees businesses tasked with translating WHY and WHAT into HOW; tomorrow’s world will be defined by a business’s ability to purchase capabilities. Instead of being forced to buy 3+ distinct applications and ad-hoc consulting services, all you will need to buy is the capability, which comes with the predefined processes it automates, along with the required expertise and know-how. So now there’s no wastage in your investment. 

To be clear, this isn’t about better aligning software and consultancy services. This proposed solution is about merging the two independent parts that typically fail into a capability where the customer doesn’t even have to worry about which parts are delivered by automation or humans. 

And because the capabilities have been designed with both components in mind, activities, key measures, and targets across software and people can be seamlessly embedded, to finally enable a quantifiable way of evaluating if an outcome has been delivered. 

This is the capability-driven future. A future where GRC programs don’t fail – and business outcomes are guaranteed. One where GRC investments can be fine-tuned to asset value and desired risk posture, and where GRC purchasing is right-sized to your needs; without under-utilized, feature-loaded applications or project management, KPI, and reporting overheads. This is a future that will change the consumption of GRC applications as we know them and introduces a more integrated, measurable, and right-sized tomorrow. 

To learn more about how we’re building a future of capability-driven GRC, contact SureCloud today.