Lose The Myths And Step Towards A GRC Digital Transformation (Part 2)

Daniel Morfin

Part 2 of a 2-part series. Read Part 1

In Part 1 of this series, I identified four common myths preventing companies from transforming their governance, risk, controls, and compliance. Today, I’ll reveal the rest in my Top 10 list.

5. IT needs to lead the GRC project.

GRC is powered by technology, but that doesn’t mean IT will lead the project. The objective of GRC is to centralize all risk management areas (internal control, risk, audit, compliance, IT) and unify a single source of truth to promote oversight of the company.

Because IT knows about technology, and risk areas know about risk and compliance activities, they both play a fundamental role in supporting in a successful GRC implementation. But the risk areas lead the project.

6. GRC is difficult and takes too much time to implement.

It is true that implementing a GRC solution is a demanding project. It demands that you review and update information, business processes, risk maturity levels, business process, owners, and so on. If your company doesn’t have a solid risk and compliance practice, your GRC project will take more time as you construct that solid infrastructure to start taking advantage of the benefits of the solution.

But the good news is that all these pieces are part of the GRC implementation. And you can also start by implementing one module at a time (take a look at the next “myth”).

7. To realize benefits, we must implement the complete functionality.

When you choose GRC solutions that are focused on the three lines of defense framework, you can start by implementing the most mature line (controls, risk, or audit) and go from there.

For example, if your company’s risk management process is the most mature, you could start using risk management software to align your risks with business-value drivers. Or, if your auditors and audit reports are spread across the enterprise, centralize their efforts in an audit management solution to optimize your resources and gain visibility.

If two of the three lines are solid – controls and risk management, for example – you could preserve and grow business value by adding in process control and risk management functionality to share processes, risks, and controls across the enterprise.

The key is not to give up until you have everything ready, whether you start with the most mature line or start maturing all your lines all at once.

8. GRC is expensive.

If you’re evaluating the investment to acquire a GRC solution versus the cost of manual activities, you will probably identify it as being expensive.

But be careful, because this evaluation fails to take into account the benefits provided by an automated solution:

  • Increase scope and coverage for risk mitigation activities to safeguard the company
  • Reduce the cost and time of early detection of cash leakage, frauds, or anomalies to avoid financial losses
  • Reduce ongoing cost for demonstrating compliance
  • Improve team effectiveness and efficiency

Becoming aware of these opportunities may change your cost/benefit analysis.

By the way, it’s important to mention that there are many flexible deployment options to reduce time and cost to implement GRC solutions in your company.

9. GRC is a nice-to-have, not a must-have, solution.

We have never faced so many risks as we do at this moment. We face financial, operational, reputational, technology, compliance, environmental, human capital, and governmental risks. Translating this, we face more complicated frauds, cash leakage, money laundering, data protection, cybersecurity attacks, modern slavery, social media, new governments, and so on.

Companies need visibility like never before – to know what they’re facing so they can avoid or mitigate the impact or the probability that something undesirable will occur. A modern GRC strategy isn’t just desirable. It’s necessary.

10. We don’t need a GRC solution.

It is difficult to argue against this way of thinking because sometimes it’s due more to a cultural attitude than a pure business decision. Some people or companies aren’t proactive; instead they react when something happens and they suffer a major impact. Then they realize the importance of having a risk mitigation strategy.

If you’re a supporter of a GRC solution and your company doesn’t see the importance of proper risk management, keep pushing! Raise the importance of the topic and prepare the company for the next level.

Bottom line

Companies are facing too much uncertainty these days to leave their risk management to chance – or to operate under these 10 myths (and misunderstandings) about GRC solutions.

Taking steps towards a governance, risk, controls, and compliance digital transformation will ensure that you’re armed with the right information to face GRC challenges however and whenever they come.

For more on this topic, read The State of Risk Management in 2018.

This article originally appeared on the SAP Analytics blog and is republished by permission.

Follow SAP Finance online: @SAPFinance (Twitter)  | LinkedIn | FacebookYouTube


Daniel Morfin

About Daniel Morfin

Daniel Morfin is an evangelist in digital transformation for GRC and cybersecurity with SAP Global Finance and Risk Business Development, focusing on Latin America. With his extensive experience in GRC and cybersecurity in technology companies, he believes that risks are everywhere, making it important to understand them for better decision-making.