Riaan Bekker, force solutions manager at thryve, examines the world of risk software.
A friend of mine is a keen cyclist. He had a trusty bicycle that carried him around, especially when taking the kids out over weekends. And that was all fine: why replace what works well?
Eventually, though, he had to retire his trusty steel steed and buy something new. Only at that point did he realise the difference. His older bicycle was by all means functional, but a far cry from the advances made since he bought it. The new bicycle is lighter, more responsive and better balanced. He used to spend a lot of his energy fighting the old bike and yet not realise it. Now, suddenly, he’s got all that spare capacity. He’s since started hitting the trails much more often – a little to the chagrin of his family, who like to sleep in.
Comfort exists because we know something works well and we’d like to keep it. But at some point we get stuck and risk not acknowledging when it starts losing its edge. Business applications often fall into this trap. Today, even with highly affordable and very reliable web applications for email, many of us still hang onto our desktop clients for dear life. Then we complain when we can’t find a mail or lose our archive in a system crash.
GRC (governance, risk management and compliance) software falls acutely into this category. Risk is not seen as a line-of-business function, so once we have something that does that job, we’d prefer to keep it like that. Yet like my friend’s bicycle, risk has evolved tremendously. This is due to data: it’s much easier and better today to integrate data sources across a company, creating single versions of the truth.
For every risk manager who has had to spend late nights making sense of different risk reports, it’s a life changer. The right risk aggregation platform, such as what we promote here at thryve, takes hold of company data and forges it into objective sense that can be used without fear or doubt.
But you can’t just drop the solution into place. For it to be effective, you must take the opportunity to address the root causes that often scuttle the ship. Governance is one of the key problem areas: companies without good governance tend to get bad GRC implementations. This leads to expensive remedies and eventually silos as different parts of the company try to avoid the dysfunction. That would place you right back at square one: disparate reports and no sense of the business truth.
The business’ data is also a crucial factor. What can be kept and what should be archived? How should it be structured? GRC systems often age quickly after mergers, which create a mess of business information. Replacing GRC software is the perfect opportunity to get on top of that. This not only helps risk, but contributes to overall attempts at establishing solid data practices across the business.
It thus makes sense that administrative structures must also be in place, else the GRC platform will run – and falter – in isolation to the business’ processes. Finally, you can’t forget about the people: there must be clear reporting structures to help inform on the adoption and make sure that your workforce is seeing the benefits they expect (and affect change when they don’t).
You will not be able to entirely replicate the functionality of the departing GRC software. Things have evolved, so don’t look at it as a replacement. It’s an evolution and one that can be painful if everyone had grown comfortable with the status quo. So there will be resistance and legacy that can threaten to cripple the process.
But making the shift brings incredible advantages. Avoiding it is ultimately business suicide. At some point you have to let that old bike go and experience the advances in newer models. Your company will thank you, but first they will resist you. Start with what they rely on – the company’s structure, rules and culture. If those are aligned and ready for change, everything else will be as well.