Tooling Considerations to Support Governance, Risk and Compliance
By SureCloud’s VP of Product, Matthew Davies, and Senior Director of Customer Success, Yang Zheng
Published on 20th April 2022
The International Data Corporation (IDC) has recently forecast solid growth for the GRC tooling market as organizations invest to expand and integrate their GRC management portfolios. Despite businesses tightening their budgets amid the first year of the pandemic, GRC spending actually increased by 8.2% year-on-year. That growth is set to continue, with global GRC spending growing from $11.3 billion in 2020 to $15.2 billion in 2025. This growth is mainly due to the near-constant addition of new regulations and risk categories, requiring organizations to ask questions about their existing compliance processes and solutions as they attempt to keep up.
The bottom line? Companies are continuing to invest in their GRC and IRM (Integrated Risk Management) solutions in order to adapt and manage a complex and evolving regulatory landscape. But what kind of questions should you ask yourself when considering new GRC and IRM tooling?
Why invest in Compliance tooling at all?
For most, it’s a question of managing compliance and regulatory change. For instance, a new version of ISO 27001, or the rollout of SOX in the UK which is something businesses are now preparing for, prompting many of them to re-evaluate their GRC capabilities.
For other businesses, it’s a question of operational efficiency. With the regulatory landscape in a near-constant state of change, organizations with fragmented processes and solutions tend to expand the compliance program in a piecemeal fashion just to keep up. This results in a fragmented and disparate system that easily gives way to errors and inefficiencies. It’s particularly true of mergers, acquisitions, and businesses that are evolving faster than their compliance tools and processes can keep up. Such organizations often end up with a ‘Frankenstein’ approach to compliance, bolting additional regulations and contractual requirements in an effort to stay on top of the ever increasing complexity.
Investment in modern compliance solutions avoids this Frankenstein-like approach to compliance, and puts businesses on the front foot instead of constantly playing catch-up. Instead of simply bolting-on another compliance process or framework, organizations can take the opportunity to reflect on their holistic compliance approach, building better foundations for data handling, communication and reporting.
The motive for updating your compliance tooling will help determine the level and nature of your investment. For instance, you might just need a reporting tool that can bring data together from disparate silos. This might suffice for a simple or decentralized business that has come to rely on multiple compliance solutions, making horizontal integration across departments more difficult.
On the other hand, you might need a more holistic and robust solution that brings processes, control frameworks and automation to the fore. Traditionally, there are three lines of defense:
- Operational Management
- Risk and Compliance Management
- Internal Audits.
One of the biggest issues we see organizations experiencing is bridging the gap between the first and second lines. In other words, you can have operational compliance or good compliance management, but marrying the two together is critical for a consistent, robust and sustainable approach to GRC.
GRC solutions are a long-term tool with long-term benefits, allowing businesses to take a proactive approach to compliance. For CTOs on the ground, however, it’s more about day-to-day operations and play-by-play decision-making. That’s why bridging the gap between operations and compliance management is crucial.
Don’t overcomplicate. Think ‘big picture’
It can often be tempting for compliance professionals to over complicate their GRC implementations because they’re attempting to superimpose manual processes onto an automated environment. For instance, a system that captures and distributes data through documents, spreadsheets and emails might not translate well into an automated tool, as this may well still require a level of human input and interaction. Trying to overlay these manual processes onto a new GRC tooling solution can cause more problems in the long run, so it’s best avoided altogether.
Too many are also tempted by the promise of fixing an immediate regulatory compliance rather than thinking ahead to future needs. If a business wants to ensure operational resilience in light of UK SOX, for instance, it can look at the GRC tooling market and easily pluck out a solution that will fix that particular problem. It’ll be effective, affordable and quick to implement. But what happens when the business wants to scale? What happens when somebody in the business needs to carry out a risk assessment and the limitations of the tool you picked before become apparent?
If a business ends up with a patchwork of solutions to tick various compliance boxes, it becomes very difficult for it to assess its overall compliance posture, or carry out rapid compliance assessments. This will cascade throughout the business, resulting in siloed verticals that make horizontal integration near impossible.
Be wary of siloed data as your business scales
Lack of horizontal integration can be a big problem for GRC initiatives as a business evolves. Silos can develop all too easily in businesses that take a piecemeal approach to GRC tooling. You must think carefully about how far you travel down that road before you consider full-scale integration. In particular, data silos develop very easily in businesses that take a bolt-on approach to GRC tooling, usually due to budget constraints or a need to reactively put out regulatory fires.
For small organizations, data silos are an almost inevitable part of growth. But that’s okay, because smaller organizations are usually better equipped to facilitate fast, cross-departmental communication. As a business grows, those departments drift further apart and employees become busier and more distracted. At this point, data should be horizontally integrated and automatically accessible to anyone in the organization who needs it.
When should your organization consider a fully-integrated solution?
This is one of the most important and difficult questions you’ll answer on your GRC journey. While it’s easy to get wrapped up in the day-to-day running of your business, it’s vital you make time to sit down and reflect on your overall GRC posture before problems start to occur. There’s one question you should ask that’s more important than any other:
In which direction is your business facing?
Is your business looking forward, planning ahead and anticipating new changes to the regulatory landscape? Or is it living in the moment, still trying to get its house in order to align with regulations that have already been rolled out?
A company that focuses purely on the here and now is more likely to be slipping into a reactionary pattern when it comes to compliance, layering more and more point solutions until it becomes unworkable and difficult to unpick. An organization that is looking to the future, however, watching out and preparing for incoming regulations, usually has the bandwidth and resources to keep doing what it’s doing.
The minute that focus moves purely on the present and not to the future, it’s time to consider an integrated GRC solution.
Listen to the exclusive webinar on GRC tooling on SureCloud’s Capability-Centric GRC & Cyber Security Podcast, where we discuss and elaborate on the points made above.
Or visit SureCloud’s YouTube channel to watch the entire video.