By: Joseph Lord, Deloitte & Touche LLP
Enterprise Risk Management (ERM) programs commonly rely on an array of spreadsheets, presentations, manual processes, and siloed data to manage their program operations. For many ERM programs, this minimal technology infrastructure has met their start-up needs. However, this approach may not satisfy needs for long. As agencies are maturing their ERM programs, they are expanding to include additional categories and types of risks (Third-Party Risks, Cyber Risks, Supply Chain Risks, etc.) to capture a more complete picture of the modern risk landscape. They are also putting in place connections to strategy, budget, and controls to better understand and manage risk to outcomes. Due to the expanded risk data sets, the increasing number of stakeholders that utilize risk information, and the drive to have timely information, agencies are assessing Governance, Risk, and Compliance (GRC) tools to streamline or automate their programs.
GRC tools are software applications and modules designed to integrate governance, risk, and compliance processes across the organization. These capabilities include policy and compliance management, risk management, audit management, issue and incident management, business continuity management, vendor risk management, information security, and more. Centralized data storage, analytics, visualization, and workflow management efficiently tie all these capabilities together to facilitate cohesive and efficient operations. Furthermore, GRC tools offer flexibility for customization and reconfiguration, allowing them to be tailored to align with an organization’s specific operating environment and needs today and for the future. GRC’s integrated suite of capabilities helps agencies achieve their strategic objectives through effective risk management in a cost-efficient manner.
Once leaders grasp the basics of GRC and its potential benefits for their organization, they may feel both excited and concerned. Excitement stemming from the idea that a GRC tool offers an elegant solution to automate time-consuming processes and integrate risk programs. On the flip side, there can be concern because the technical procurement and implementation of software are not typically within their usual responsibilities. Nevertheless, risk leaders should err on the side of excitement as the concerns, while not unfounded, are manageable. Given that some risk leaders are unfamiliar with software procurement and GRC implementation, below are a few domains to help frame their thinking.
Program Design and Use of GRC: Risk leaders should not develop their programs around a tool, but rather configure the tool to meet their program needs. When identifying the needs for an agency risk program, risk leaders should ask themselves questions that include, but are not limited to:
- What risk programs (ERM, TPRM, Internal Controls, Audit Management, etc.) are in place today?
- What risk programs does the agency want to establish in the future?
- What current systems in place will / should integrate with the GRC tool?
- What functionality is needed to enhance the ERM program?
- Who should have access to the GRC tool?
- And most importantly, how do I implement this tool and manage change in a manner that makes the agency’s risk program sustainable for the long term?
These are just a few illustrative questions to get a risk leader thinking and prioritizing what they value in their future state program design and use of a GRC.
Cost: There are four general types of cost that an agency incurs with any software implementation: one time implementation cost, annual license cost, support cost, and operations and maintenance (O&M) cost:
- Implementation cost: The one-time implementation cost encompasses the initial setup, configuration, and integration of the GRC tool into the existing systems and processes. This may include expenses for consulting services, customization, data migration, change management, and training for staff to effectively use the tool.
- Annual license cost: Recurring annual cost for users to utilize the software. This can also include updates and patches, support, and maintenance.
- Support costs: These are cost that are not able to be seen in a budget, such as staff time spent in implementation or staff time spent in training.
- O&M cost: These are costs associated with any hours spent on any maintenance or further configurations.
Beyond understanding the significant value proposition, risk leaders should be aware of the types of costs associated with a GRC tool to support the creation of a fully informed business case for GRC within their respective agencies.
Agency GRC Operability: Agencies often have different preferences when it comes to the level of “self-service” they desire within a software product – for example, some may want the full ability to customize and configure, while others may want limited configurability. The preference should be considered as risk leaders evaluate GRCs that are right for their program as well as potential needs for upskilling staff or enlisting outside support. Agency leaders should also consider the benefits of an implementation vendor, as purchasing a GRC as a one-off software buy, rather than as part of a wrap-around set of risk and change management services, may limit the value proposition.
Although change can be challenging and software may seem intimidating, Agency ERM leaders should look to capture the benefits that a GRC solution can bring to their ERM program and their agency. ERM programs have driven significant change and improvement across their respective organizations – now is the time for the ERM program to be the subject of evolution and improvement.