RiskTech Forum

Nasdaq BWise: The Pending Extinction of GRC Point Solutions

Posted: 3 April 2017  |  Author: Ladd Muzzy

GRC point solutions are facing disruption as integrated governance, risk, and control (GRC) software continues to evolve and add value to risk management activities across the lines-of-defense.

A GRC software point solution’s design is to assist the lines-of-defense (businesses, support functions, and audit) in managing risk. The foundation is either built on unique company specific methodologies or leading practices and frameworks, such as COSO, NIST, etc., to support risk and control activities.

There are three key reasons why an organization would benefit from an integrated governance, risk, and control (GRC) software solution:

Significant risks culminate from a precipitation of errors
Point solutions typically stand alone within the line-of-defense and there is little thought of whether or how it may link to other software or processes in other parts of the organization. This is a lost opportunity for risk management to show its value. Risks, and their associated exposures, rarely occur independent of one another. For example, a coding error may effect a business process, which may cause an employee to provide incorrect information to a customer, which may result in compliance violations, litigation, and reputation damage. Risks span across the front and back office, throughout the value chain. As a result, risks need to viewed holistically throughout the lines-of-defense. Without an integrated GRC software solution, this becomes a challenge and results in misleading reporting to executives, the Board, regulators, and other stakeholders.

Reporting is fragmented
A challenge with point solutions is that they don’t lend themselves well to providing a clear means to the overall risk profile. Each function, including audit, uses a methodology that is appropriate for its objectives. For example, compliance may have a zero tolerance for non-conformance. The resulting methodology will reflect a strong control environment. Operations may be supporting new products and growth initiatives where controls may be undefined. This supports more risk seeking behavior and processes. Neither function’s purpose is “right” or “wrong,” but it does require a common understanding of how each line-of-defense defines and supports risk management.

Providing a holistic risk and control perspective requires a central function to amalgamate disparate sources of data into a complete picture. It also requires a suite or unified software solution to paint it. Developing a taxonomy that reflects the organization’s risk appetite and tolerance level, aggregating and disaggregating information, and allows for bespoke line-of-defense needs is tricky indeed. Nonetheless, it is a possibility and a reality—for some organizations, and made possible by an integrated governance, risk, and control (GRC) software product.

Suboptimal use of resources
We’ve already seen how point solution software supports unique line-of-defense practices. Although this provides greater assurance that specific risk topics like compliance, vendor management, etc. are covered off well, it also presents the possibility that there is inadequate allocation of resources. It seems obvious, but centralizing a view of risk offers up a number of benefits:

Viewing risk holistically enables line-of-defense teams to align asks of the business, prioritize activities and risk management processes, and tackle issues that are pervasive across the business.

Centralizing a view of risk allows for a complete view of the control and management environment. Assigning accountable individuals to weaknesses and a complete view of risk across the value chain allows for the possibility of having controls serve multiple purposes and risks.

Again, by looking at risk through the lens of the organization, capital expenditures and allocations can be a focus on the most pertinent and potentially severe risk topics.

We are already seeing organizations begin to look at risk more completely than they have in the past. Initiatives around identifying and structuring data, piloting collaboration across a couple of functions, and the desire to be thoughtful on management’s spend on risk management is raising the interest and impetus from executives, the Board, and regulators to align. Partnering with a GRC software provider that can enable this view will be crucial to our discipline’s long-term success. For more information visit www.bwise.com or contact us directly.