Transforming siloed or manual GRC processes into more agile, automated, and integrated programs can yield multiple benefits – including better preparedness for risk events, and better risk insights for decision-making. However, actually enabling this transformation can be quite challenging. Taxonomies often have to be changed. Top-level approval has to be sought. Cultural changes have to be implemented. The latter can be particularly difficult to enable. Employees who are used to doing GRC a certain way for years (e.g., using a 1-5 risk-rating scale) can often be resistant to adopting a different approach (e.g., using a red-yellow-green rating scale).
Behavioral change is easiest to implement when the benefits of that change can be experienced in a real and tangible manner by the people making the change. For instance, if risk managers gain real-time risk intelligence with heat maps, or if policy managers gain a comprehensive view of regulations that impact a policy, or if they can leverage a chatbot to simplify the search for policies based on relevance, it will possibly make their work simpler and more efficient.
However, when implementing a new enterprise GRC system, or enabling any other such large and pervasive shift, many of the benefits—such as faster and better risk insights for strategic decision-making—are experienced by senior stakeholders and executives, rather than the people in the front line who are actually being asked to change—whether it's in terms of adopting a new system, or learning a new risk taxonomy. And since the front line doesn’t necessarily get to experience the value proposition of the change first-hand, it can be challenging to convince them of its necessity.
How then can GRC transformation be enabled in a smooth and efficient manner?
The best place to begin a GRC transformation project is in a process or function that has a low barrier to change because the maturity level of the process is already relatively high, and the level of anticipated change is low. As an example, let’s assume that Organization XYZ wants to implement a new policy management solution that will make it easier for employees to browse, search, and find the policies they need. The organization already has a well-defined process in place for policy creation, approval, and communication - it just needs a few enhancements with the new solution. Therefore, the barrier to change is low, and the solution can be implemented fairly quickly with a little user training and hands-on help.
On the other hand, let’s assume that the organization’s risk assessment process is fragmented, lacks consistency or integration, and has data that’s scattered across different systems. This is an immature process. Therefore, if the organization was looking to implement a risk management solution, the barrier to change would be high -- because to optimize the benefits of the solution, risk taxonomies would first need to be standardized, risk reporting processes changed, and data models unified. If the organization were to straightaway implement the risk solution without first making these changes, they would simply end up with the same bad process or bad data in a new system.
The bottom-line is that when embarking on a GRC change management project, the first step is to self-assess the maturity of each process and then prioritize the use cases accordingly. By starting with the use cases that have the highest maturity—and therefore, the lowest barriers to change—people in the front line will have the time to get used to the change, after which the more complex use cases can be tackled.
When planning a GRC transformation project, it’s important to identify the change accelerators in the organization i.e., the people who champion, drive, and catalyze change across the enterprise. Typically, these individuals are found lower down the hierarchy where more informal business networks have developed organically.
These networks are composed of people who are not necessarily high-ranked, but are well-connected, well-respected, and frequently sought out for advice by colleagues. They are the real influencers. So if they can be identified and convinced about the need for GRC transformation, they can act as positive change agents for the rest of the enterprise, particularly the front line.
Any organization will always have its naysayers who are resistant to change. While it’s important to understand and address their concerns, it’s also helpful to focus on the positive change agents – the early adopters who will provide useful feedback on the proposed GRC transformation. Through these stakeholders, one can gradually work through and get the buy-in of the “silent majority” across the company -- at which point, the detractors at the front end will have to get on board with the change.
Pro Tip: Set up a “change management” committee with representation from relevant stakeholders. For instance, if a new GRC system is being implemented, ensure that IT team members are on hand to answer questions on the technological change aspects. Front line representation is also important to ensure that employee concerns around change management are being heard and addressed.
A good way of getting people to buy into the message of GRC transformation is to communicate how it will benefit them at a personal level, rather than a corporate level. For instance, when implementing a new risk reporting tool, stakeholders can be told how the system will make their jobs easier, protect them, and make them more confident about their decisions. They need to understand what’s in it for them.
Mass communication is also important, especially when seeking the support of the front line. Company-wide newsletters, emails, exclusive GRC portals, and other such channels help disseminate the messaging around GRC transformation clearly. The more the message is reinforced, the better employees will understand why it’s important.
The concept of a helpdesk is also worth thinking about – particularly, a dedicated GRC helpdesk that employees can instantly message, phone, or email. It helps iron out any initial hiccups during the GRC change project. It also enables the GRC team to keep their finger on the pulse of the enterprise, and understand the challenges and problems that employees are facing. This data can then be used to enhance GRC training materials or programs.
When feeding information into a new GRC system, a good practice is to set up both front-end and back-end data checks. If a user wants to register an issue or incident, front-end data checks might include training him or her on the type of data to enter into the system, while also establishing a helpdesk to answer any queries that he or she might have. Back-end data checks would focus on ensuring that the data entered into the system makes sense, and that all mandatory form fields have been filled.
Often, organizations rush to implement a new GRC tool or dashboard without first checking the quality of data that has been entered into the system. If it isn’t “clean” data, users are likely to be dissatisfied, especially at the executive level where the quality of reported data makes all the difference to strategic decision-making. Well-organized, consistent, and high-quality data leads to better, more confident decisions.
GRC transformation doesn’t happen overnight. It takes time. Effective planning, communication, and engagement are key. The work involved is no doubt challenging. But in a dynamic marketplace, the need for effective GRC change management is only going to become more urgent. It’s important that we get it right.
MetricStream’s Enterprise GRC Solution can help you manage your risks, compliance, audits, cybersecurity, and third-party governance activities in an integrated and automated manner.
The solution cuts across organizational silos, enabling a holistic and collaborative approach to GRC. Users can efficiently roll up risk and compliance data from across the enterprise, and transform it into actionable business intelligence to support decision-making.
With support for mobility, real-time reporting, advanced risk analytics, and regulatory notifications, the MetricStream Enterprise GRC Solution is comprehensively designed to meet the GRC needs of today’s complex, global enterprises.
• 67% Improvement in risk reporting visibility and efficiency for the executive management and board
• 80% Improvement in risk and control framework related operational efficiency
• 90% Reduction in time taken to manage compliance activities
• 300% More coverage on compliance and control monitoring
• 50% Fewer compliance issues