2020 will be remembered as the year of an almost worldwide lockdown caused by a virus. What could be next?

By Dudley Cartwright, CEO of Soterion

The 2019 WEF Report on significant global threats lists cyberattacks and data fraud as high-impact threats in the near future. This underscores the fact that Governance, Risk and Compliance (GRC) is becoming increasingly critical within organisations, and the stakes are higher than ever should businesses fail to get it right.

We’re living through an era hallmarked by a rapid increase in the rate of change in the marketplace. Organisations are being forced to adapt to the new realities.

Successful organisations are becoming more agile in their ways of working.

New-generation GRC practitioners are seeing the opportunity for GRC to play a greater role in proactive value creation, more than ever before, and are embracing new agile technologies and methodologies in doing so.

GRC principles fit well with what is called the ‘agile’ approach and are more relevant and important today than ever before. Getting GRC right in an agile environment depends on having the correct mindset, approach and tools.

Agile thinking encompasses the idea of “clock speed”. This is the pace at which an organisation, as an entire system, is able to move, react, adapt and so forth. It is estimated that today’s average large organisation requires a clock speed 3-5 times faster than the equivalent organisation a decade ago.

While agile thinking has brought great benefits in increasing clock speed, it has also brought with it a significant misconception about GRC. In the pursuit of agile delivery, GRC can easily be seen as part of the ‘old paradigm’ and hence ignored or undervalued.

Alternatively, even if the GRC function is appreciated by business, GRC practitioners often fail to adapt their approach to the new clock speed realities.

Many new-generation GRC practitioners find themselves operating in a traditional organisation. They face a decision to either be an advocate for change or simply go through the motions and deliver the kind of GRC the organisation requires.

Could someone in GRC influence organisation-wide change? We believe they can. With a ‘courageously pragmatic’ approach one could advocate for company-wide change, possibly finding kindred spirits within the company, while at the same time pragmatically delivering GRC requirements within the prevailing framework.

So, what is the correct approach then for agile GRC? Given that organisations differ vastly by industry, regulatory environment and GRC maturity, amongst others, there is no ‘one-size-fits-all’ answer.

Here are a few agile GRC descriptors. Agile GRC realises the need for engaged business users, and hence puts business users at the centre of the process. GRC language is converted into a language that business users can understand. This is further achieved through more intuitive tools such as introducing business process visualisations that help contextualise and understand risks.

A lack of engaged business users has always been the Achilles heel of GRC. Research shows it is the leading cause of GRC implementation projects floundering.

Engaged business users are more vital than ever given the fluidity of organisational environments today. GRC must become a team sport.
If business users are unengaged, it falls to the GRC team to ensure that access risk remains healthy. This is usually done in an episodic fashion, frequently timed to coincide with an audit.

The power of engaged business users is manifold: there are many of them, and they know and understand their processes better than anyone. Giving these users the means to monitor and respond to the risks inherent in their processes provides a powerful first line of defence which in turn allows the GRC team to play a more strategic, value-adding role.

In addition, traditional GRC tools are built upon static rule sets, which should be reviewed ‘from time to time’ to adapt to any changes in business process flows. The traditional paradigm assumes that such process flows seldom change. In reality, with today’s pace of change and agile ways of working, access risk simulations are performed against rule sets that are increasingly out of touch with an organisation’s reality. Business users become frustrated by this and their buy-in diminishes accordingly.

New-generation GRC tools recognise that business process flows are dynamic and fluid, and hence enable us to build dynamic rule sets with adaptive capabilities. Machine learning technologies often play a role here. Another approach is ‘crowdsourcing’ rule set changes from business users themselves, through intuitive visualisations that keep GRC tools relevant and hence keep business users engaged.

Traditional applications typically have a software-license to implementation-cost-ratio of between 1:3 and 1:5. That is, for every dollar spent on licensing in the first year, the organisation can expect to pay up to $5.00 in configuration costs. The implementation process itself is often the organisational equivalent of open-heart surgery, given the sheer intensity of the process.

New-generation GRC applications are typically implemented at least 50% faster than traditional applications. This translates into lower total cost of ownership, less business disruption and quicker establishment of GRC capability.

Aside from the cost-saving implications of rapid deployment, Agile GRC configurations allow users to “fail faster” in the positive sense of getting vital feedback on access simulations and adverse process changes quicker, which allows for timeous adjustments.

Agile GRC vendors are connecting their applications with other vendors from similar but different fields to provide a more holistic offering. Examples of this are integrations with Identity Access Management solutions, Enterprise Risk solutions, Process Control solutions and Business Process Mining solutions.

The API economy enables organisations to choose the exact applications they require given their current business landscape and to create a “one-size-fits-one” GRC technology ecosystem that fits their needs. This contrasts with the traditional “one-size-fits-all” idea of one monolithic GRC application which caters for every conceivable scenario.

As SAP moves more functionality to the cloud (SuccessFactors, Ariba and Concur etc), as well as customers starting to replace non-core SAP products with 3rd party solutions such as Salesforce.com and WorkDay, GRC solutions need to be able to analyse non-ABAP-based solutions.

Agile GRC solutions are future proof, in that they will be able to seamlessly analyse access risk from traditional SAP systems (ABAP), as well as SAP cloud solutions and 3rd party solutions.

Managing access risks is both time-consuming and laborious. Using historical data to develop trust relationships will allow GRC practitioners and business users to focus on the exceptions. Examples of this include monitoring transaction usage activity and highlighting exception transaction codes. Or, knowing which terminal the user accesses SAP from, and highlight any activity from a different (non-trusted) terminal.

In our increasingly fast-paced world, there is a strong correlation between successful GRC and levels of business-user engagement in SAP organisations. Therefore, the evaluation of tools in terms of attributes which contribute to business user engagement is an appropriate evaluation tactic to employ.