In governance, risk and compliance (GRC), as in other areas of business, we’re witnessing a strong trend towards cloud-based technology, particularly in the area of compliance and internal control systems. Promises of efficiency gains, better compliance processes, and even increased performance for business are being made. It almost sounds as if—by a sort of magic—moving to the cloud would solve the pains of managing compliance and controls that too many companies today still experience (too many manual tasks, high costs, insufficient assurance, and so on).
Obviously, this seems worth taking a look beyond the promised wonders at what is really provided. Since more and more companies plan to adopt cloud-based solutions for compliance and controls, it’s important to ascertain whether the most critical needs will actually be addressed.
Asking the right questions, whatever the architecture
Looking deeper into the value proposition of a number of new cloud-based offerings (whether they come from new, “pure-cloud” players or more traditional GRC niche players), it strikes me that the presentation of the core capabilities hasn’t really evolved from what is already provided with on-premise architectures.
Undeniably, cloud solutions provide technology advantages and gains in terms of collaboration, faster implementation of new features as they are delivered, and reduced maintenance costs. But when we examine the more core functional capabilities, we don’t really see anything new around automation and continuous monitoring of controls, integration with core business systems, or embedding of controls into critical business processes.
It seems all too clear that the outdated ways of managing compliance and controls with traditional niche GRC solutions have simply been transposed to many of the new cloud-based offerings. This means, among other things, that their users will continue to:
- Operate their GRC processes in isolation, disconnected from their ERP and other core business systems, unless they take on the burden of building and maintaining interfaces.
- Spend excessive amounts of time and efforts on manual tasks to evaluate and test their controls.
- Need to look for problems after-the-fact in masses of data, instead of being alerted when they occur.
- Face the risk of undetected compliance failures and other issues, due to piecemeal compliance processes.
As a result, they may find after moving their GRC to the cloud that the gains, confined to the more technical aspects, are small compared to the persistent cost and effort of managing their compliance and controls in a still-disconnected, exceedingly manual, and discontinuous way. We are far from the promises of efficiency and even further from the claims of increasing business performance that flourish in the “GRC in the cloud” marketing space.
What can companies do?
Whether companies prefer to stick to an on-premise architecture or decide to move to the cloud for their GRC, they need to ensure that the chosen solution:
- Provides out-of-the-box integration.
- Allows time-consuming tasks such as testing to be automated.
- Delivers a management-by-exception pattern through continuous monitoring of controls.
More than ever, these capabilities remain critical to help them achieve sustainable compliance, reduce their risks, and drive tangible efficiencies.
Furthermore, by choosing software that can embed controls into their critical business processes, businesses have a real opportunity to increase the performance of their operations—and not just by magic.
Is it time to move to the cloud?
Provided the above conditions are met, choosing a cloud-based architecture can actually boost the advantages that a truly integrated, automated GRC system already delivers. Join me here next week, where I’ll discuss examples of the compounded benefits that such a solution offers in Part 2 of this blog.
What do you think?
Share your thoughts with me here or on Twitter at @JPugnet.