If you’ve been around the governance, risk and compliance (GRC) space for a while, you likely remember the days when GRC workflows involved manually collecting screenshots from several systems, filling out control statuses in spreadsheets and hoping you’re ready for your next audit(s). 

Those days are gone — or at least, should have, by now. Over the past several years, a plethora of new and exciting capabilities supporting our GRC journeys have become available, helping all of us meet compliance requirements and accelerate risk treatment plan initiatives with a new level of unprecedented efficiency and accuracy. 

Yet, if you closely observe the GRC space, you’ll notice that many organizations are still managing GRC the ‘old’ way. They’re not taking full advantage of the new and exciting technological advancements supporting GRC programs in ways we’ve never seen before. 

With all these capabilities available today, why do enterprises sometimes struggle to embrace positive change in the realm of GRC? And what can they do to overcome the barriers to GRC innovation? 

As someone who spends a lot of time helping businesses modernize their GRC strategies, I have several thoughts on this topic and want to share just how much the GRC ecosystem has changed in recent years due to next-generation GRC platforms, and what organizations can do to benefit from these advancements. 

Advancements in GRC Technology 

The driving force behind most GRC innovations that we’ve seen over the past several years is the adoption of automation for collecting, reviewing, opining and reporting on compliance with applicable standards, frameworks and regulations. Modern GRC platforms have made it easier than ever to automate processes that historically required vast amounts of time and manual effort and only yielded a limited scope of assurance through sampled reviews compared to the full population assessments supported today. 

GRC automation comes in a multitude of forms, with key examples including the following: 

• Automated GRC Data Collection: Modern GRC automation makes it possible to programmatically pull data from source systems using APIs in real-time or at a scheduled cadence. Instead of having to import data from spreadsheets, you can now integrate GRC software directly with source systems and collect evidence of compliance as soon as it appears at the source. 

• Automated Control Tests: Rather than having to examine evidence and compare it to controls manually, GRC software now allows you to configure control tests that automatically compare evidence to predefined expected control criteria. As a result, these automated control tests can discover control operating effectiveness deviations faster and with less effort. 

• Automated Vendor Risk Management: In the past, analyzing third-party risks sometimes required setting up meetings or sending emails, requesting compliance artifacts and evidence and reviewing them manually. Today’s GRC platforms can automate much of this process by identifying which types of evidence a business needs from its vendors and collecting it automatically. In some cases, platforms are now able to summarize the results of these artifacts against known good practices and expectations using well-trained artificial intelligence (AI) models, allowing GRC team members to review and double-click on any callouts or deviations. 

• Automated Policy Enforcement: Historically, GRC workflows were focused on performing internal assessments against policies and standards, triggering a manual response to review evidence and correcting any identified findings. Now, it’s possible to automate corrective actions in many cases. For instance, if your GRC software detects a user with excess access privileges, it may be able to integrate with access control software to revoke the unnecessary access rights automatically against pre-defined, approved role-based provisioning expectations. 

• AI-Based Compliance Assessment Against New Frameworks and Framework Revisions: AI can streamline the assessment of compliance against new or revised frameworks by automating gap analysis, mapping requirements to existing internal controls and flagging areas of non-compliance. Using natural language processing (NLP), AI can interpret regulatory text and compare it against existing policies, controls, procedures, recent automated control test results and system documentation, and draft a list of gaps and associated remediation plans or policy updates aligned to new or added requirements. This accelerates compliance workflows, reduces manual effort and ensures faster adaptation to new and continuously evolving standards that put additional pressure on our GRC teams.  

Examples such as these highlight how the evolution of GRC tools has made GRC processes faster and more efficient and allowed human GRC staff to focus energies on more creative and productive work, such as redesigning and optimizing processes in ways that reduce risk, instead of spending time on tedious, repetitive processes such as manual evidence collection. These advances have also helped reduce the amount of anxiety associated with instances of non-compliance, close calls and surprise findings during internal or external assessments and risks becoming reality.  

Leveraging GRC Automation 

Just because GRC innovations such as those described above are now available doesn’t mean all businesses are benefiting from them. Too often, I encounter companies that continue to approach GRC as a manual, slow-moving process. 

The greatest barrier, perhaps, is that managing organizational change and adopting new capabilities can be a challenge — and the larger the organization, the harder it is to embrace a ‘new’ way of doing things. Indeed, this is likely why smaller, newer companies tend to be at the forefront of leveraging modern GRC automation. Large enterprises that have deeply entrenched ‘legacy’ GRC processes or are overly inundated with complex systems and processes are often much slower to adapt. 

Cost concerns are another understandable challenge. Businesses may be hesitant to invest in new GRC tools, especially if the investment yields only a gradual return. The sunk costs of internal team members and custom-built internal monitoring systems make new investments in replacing these systems a hard pill to swallow. 

I also encounter businesses that are hesitant to make GRC changes because they believe the processes they already have in place work well enough. Existing manual efforts seem to continue to pass audits, and the financial resources enterprises devote to GRC staffing and evidence collection are reasonable, so they don’t see a reason to change things up. Of course, what they’re overlooking is that a modern approach to GRC could help them unlock more value by reducing audit failure risks further and streamlining processes such as evidence collection. They also need to progress from just ‘passing the audit’ and resting on the laurels of their auditors’ standards to focusing on taking their GRC programs to the next level by reducing risks, decreasing manual burdens and optimizing key processes.  

Companies struggling to embrace GRC changes should consider the following: 

• Rethink GRC: Historically, businesses have considered GRC an obligation to meet — not inclined to make changes so long as they met that obligation. The reality is that the GRC space is also an opportunity for building and maintaining the trust of customers, turning GRC into a business enabler and revenue unlocker, all while creating new efficiencies. Just having GRC processes that work (in the sense that you’re passing most of your audits) doesn’t mean they’re working as efficiently or effectively as they could using automation solutions. 

• Embrace Risks to Overcome Risks: There are risks associated with deploying new technologies, and GRC automation software is no exception. There’s a chance that an evidence collection capability won’t work as well as expected, for instance. However, it’s only by taking this risk and experimenting with novel GRC tools that businesses can work toward the greater goal of managing enterprise-wide risks more effectively. 

• Automate What Matters Most: Some GRC automations deliver more value than others, and most businesses lack the resources to automate all aspects of GRC overnight. To kick off a GRC modernization project, it’s important to invest in automations that yield the greatest benefit over a short time span. When you can demonstrate some quick wins for automation, it’s easier to get buy-in for additional GRC investments. 

• Get Your Auditors Onboard: It’s a stereotype that auditors don’t like routine, never-changing processes — and this breeds an assumption that they will frown upon new, automated approaches to evidence collection or analysis. But the reality is that GRC automation can benefit auditors in many ways. Businesses should reach out to auditors and ask how GRC automation might benefit both the organization as well as those responsible for auditing it. 

The bottom line — GRC no longer has to be a slow, tedious and resource-intensive process cluttered with spreadsheets, screen shots, shared folders and sampled control tests. Technology has made it possible to approach GRC from an entirely new angle. However, leaping to embrace modern GRC automation requires overcoming barriers to change and rethinking traditional approaches to GRC. Businesses can no longer afford to wait to jump into the future of GRC to benefit from today’s GRC platforms. The time to make changes to the traditional GRC mindset and reap the benefits of capable GRC platforms available today is now.