The complexity of today’s business environment threatens to overwhelm the compliance function in many organizations as they struggle to respond to questions from regulators, executive committees and Boards. Unfortunately, one common panacea for organizational complexity—technology—has not won an overwhelming number of supporters in the risk and compliance space. According to a recent survey Deloitte conducted with Compliance Week, only 32 percent of compliance executives were confident or very confident in their IT systems, a rate that has actually dropped from 41 percent since the survey was conducted in 2014. This may be why the majority say they primarily depend on desktop software and in-house tools such as spreadsheets to perform most compliance tasks. Reliance on these tools is one reason many compliance functions tend to spend the preponderance of their time gathering data rather than analyzing it.
One technology solution that has begun to have an impact in the compliance space is the governance, risk and compliance (GRC) tool set. While not perfect, these tools have improved enormously over the past five years and have the potential to automate such activities as data collection, control testing, issue management, workflow and reporting. As with any tool set, implementation of appropriate governance processes and procedures are critical to overall success.
Experience gathered while working with compliance professionals on numerous GRC initiatives has led to the identification of five critical success factors:
1. Make sure leadership has your back
It sounds obvious, but without leadership support, a broad-scale GRC project can quickly devolve into squabbling over priorities. When executive leadership participates in discussions and decision making, it is a clear signal that the initiative is both important and strategic in nature. Leadership support will also help to drive consensus and keep diverse stakeholders working together toward a common goal.
2. Go slow to go fast
Far too often, many companies approach GRC implementations in the absence of a strategic roadmap. Leadership may signal the go-ahead but leave it up to the individual groups—whether it is the business units or the various functional organizations, such as risk and compliance—to decide how to proceed. The result is often a host of siloed development initiatives that the organization then struggles to connect once they are up and running.
Green-lighting these isolated initiatives may appear to be the faster approach—after all, getting everyone on the same page takes time. But the result of such a piecemeal approach is usually a huge amount of rework and potentially the wholesale scrapping of GRC systems and tools after they have already been installed. The build-then-connect approach rarely works, especially in large, complex organizations. Rather, you need to think first about how the system should connect across the company’s different risk and compliance silos. In other words, connect first, then build.
A variety of other issues also need to be decided up front, including governance structures, policies, procedures, controls, data sources and classification. Finally, many companies underestimate the change management issues involved in a GRC technology implementation—this is something that should be addressed in the planning phase, before a single line of code is written. A careful, well-thought-out approach can pay off handsomely in the long run.
3. Speak the same language
Organizations need a way to talk about risk and compliance that resonates for the entire enterprise, not just for specific groups. Without a common taxonomy, the implementation will only take you so far. Data may automatically flow from multiple sources into a single repository, but turning it into a meaningful picture that creates valuable insights for the business will likely be impossible. Developing a common language is one of the most important aspects of the planning phase.
4. Engage early and often
IT may be the ultimate buyer of GRC technology solutions—and they are certainly involved in the implementation process—but they should by no means be the sole decision makers. The three commonly cited lines of defense for identifying chinks in a company’s controls armor—the business, the compliance function and internal audit—need to be closely involved in determining what system to implement and how to customize it.
While the formal owner of a GRC implementation varies from organization to organization, unless all affected parties are involved in decision-making, the initiative can be sub-optimal. In fact, when stakeholders are not engaged early, the result may require considerable re-work as new groups are added to the platform. The business in particular may need to be “sold” on the benefits of an implementation initiative—and “saving the compliance function from headaches” is not going to cut it. For example, one way a business unit can benefit from having a fully functioning GRC platform is a reduction in the number of requests for business-specific information from both the compliance and risk functions. Bringing together all the parties at the onset of these initiatives and giving them a stake in the game can help ensure that everyone benefits. Keeping them abreast of project milestones via regular, two-way communications can help prevent stonewalling when user groups are not consulted.
5. Start small, then iterate
While the roadmap should lay the course for the entire organization, trying to do everything at once is usually a recipe for failure. The roadmap will set priorities, and that’s where you need to start. Develop “use cases” or “pilot projects” based on the highest-profile areas—such as third-party compliance, IT/operational risk, risk assessment, business continuity planning and regulatory change management—rather than initiating a set of silo-based initiatives. Then, step back and gather feedback from the business and other users. That feedback is valuable currency because you can incorporate it into your next deployment. It is far easier to iterate and continuously improve than it is to roll something out across the enterprise that may have to be taken offline and reconfigured if problems arise.
Conclusion
With the right approach, GRC implementations need not be universally frustrating. This means bringing together all the relevant parties up front, dividing responsibilities in a manner consistent with the three lines of defense, appointing an executive sponsor and then moving forward together to determine appropriate GRC use cases that can be built within the GRC tool. Aided by the automated activities that GRC tools provide, compliance and risk organizations will likely spend far fewer resources on manual, spreadsheet-driven tasks and instead will be able to focus on analyzing the data and other more fruitful pursuits that deliver value to the business.
Tim Cercelle is a Deloitte Advisory director in Deloitte & Touche LLP’s Regulatory & Compliance group and a former chief compliance officer in the insurance industry.
