Governance, Risk and Compliance

How Agile Governance and Compliance Accelerate Your ERM Programs

Posted March 10, 2023 by Resolver

This content was created as part of our Top 5 Strategic GRC Capabilities Report. Download our free report now!

In today’s constantly changing business environment, companies need to be able to adapt quickly to remain competitive. GRC and ERM teams want to stay ahead of what’s ahead by developing an organizational risk culture that sees risk as a strategic partner in the business. As such, many teams have begun to explore agile GRC as a means of increasing agility, proactivity, efficiency, and resiliency across the enterprise. With a move to agile governance and compliance, organizations can respond quickly to new risks, emerging regulations, and changes in the business environment.

“Risk is a tool,” says expert GRC analyst at GRC 20/20, Michael Rasmussen, “And being agile at risk, seeing what’s coming at the organization to prepare and respond, not only helps us to avoid disasters and harms, but to actually leverage things for the organization’s advantage, and use risk as a tool for the organization. And that requires good risk intelligence and insight, but it also requires that we change the way we approach risk management.”

GRC agility refers to the ability to adapt, pivot, and move quickly to address external and internal risk factors. With agile governance and compliance, the focus is on organizational alignment and process optimization supported by technology and having changes to regulatory and framework content reflected rapidly, so all teams involved are working with up-to-date data.

What is agile governance and compliance?

Agile GRC (Governance, Risk, and Compliance) is a methodology that combines the principles of agile software development with GRC practices to enable organizations to manage risk and compliance more efficiently and effectively. Agile GRC helps companies quickly and accurately manage their risk and compliance needs. This approach allows organizations to adapt more easily to complex and changing landscapes, focusing on organizational alignment, process optimization, and regulatory content changes supported by technology to reflect the rapid changes to governance, risk, and compliance.

Agile GRC emphasizes flexibility, collaboration, and continuous improvement, allowing organizations to adapt quickly to changing business environments, new regulations, and emerging risks. It involves breaking down silos between departments and stakeholders to facilitate collaboration and communication and to ensure that everyone is working towards the same goals or organizational objectives. This approach allows organizations to identify and address potential risks and compliance issues early on, reducing the likelihood of costly errors, non-compliance penalties, or reputational damage.

Transitioning into an agile GRC strategy is as simple as developing a big-picture plan, getting the right leaders on board, building an integrated technology architecture, and putting it all together in stages. The results of GRC agility are better risk management with fewer risk events, which can help save your organization costly fines and other financial repercussions.

Watch: How to Build an Agile GRC Program

Transforming GRC chaos into agile governance and compliance

GRC agility allows an organization to quickly and effectively adapt to a complex and changing landscape in governance, risk, and compliance. The current problem on many GRC teams is what Rasmussen coins “GRC chaos,” where inefficiencies such as time-consuming processes cause teams to be reactive, operating in “triage mode.” These teams cannot scale, are often behind where they want to be, and suffer considerable and critical resource constraints. Documentation is sparse or disparate, with teams relying on spreadsheets — if they document things at all. This lack of consistency and discipline creates an unsustainable structure, frustrates employees, and leaves companies at significant risk.

3 Steps to a collaborative agile governance and compliance strategy

The future, predicts Rasmussen, is in “being able to see across risks in the organization, map them to objectives and have risk as an effective tool to enable business performance strategy.” Organizations need to focus on agility, resiliency, and integrity to predict, avoid and rebound from risk effectively.

To enable enterprise agility, organizations need a collaborative approach on agile governance and compliance strategy. Rasmussen breaks down a simple, 3-step approach to successfully getting different departments to work together:

Clearly define roles and responsibilities
Provide support for those working on risk through strategy and processes
Centralize information and documentation through a GRC management information and technology architecture

Roles and responsibilities: Who owns a company’s agile GRC solutions?

Agile GRC solutions convert GRC language into one that your company can understand. They offer more intuitive tools that allow users to modify their preferences, further allowing them to properly contextualize and understand risks to their organization. These tools and technical capabilities include drag-and-drop form builders, powerful workflow engines, and the ability to design custom reports — all key elements of an agile GRC program.

Adding licensing, implementation, ongoing maintenance, and management, the cost of ownership with agile GRC is typically a fraction of the legacy solutions. Furthermore, it provides your team the flexibility to enable the platform to fully unlock the abilities of your teams.

Since agile GRC solutions involve a cross-functional, “top-down” and “bottom-up” approach that incorporates various departments and stakeholders, it may also involve business leaders, operational teams, and other key decision-makers within the organization. Collaboration and communication across the organization are essential for the successful implementation and management of agile GRC solutions. Ultimately, the responsibility for agile GRC solutions rests with the organization’s leadership, who must ensure that the necessary resources, support, and governance structures are in place to manage risks effectively and ensure compliance.

Executive support of agile GRC strategy

In order to have a successful agile GRC strategy, supporting those working on risk through strategy and processes for risk identification, risk assessment, risk treatment, and risk monitoring is imperative. It takes time and effort for teams to get accustomed to the changes of a GRC transition. An important factor in making this adjustment successful is strong leadership that champions this shift while providing continuous support to their team. This could mean a COO who can advise of regulation changes and GRC strategy improvements; a board who provides support for an agile GRC enterprise risk management (ERM) system; and even a CCO to help risk management teams ensure that agile GRC works in conjunction with ERM systems in order to minimize and mitigate risk.

Rasmussen encourages leadership teams to consider the following when considering the people or roles that can best support an agile GRC process:

Whether or not your company has sufficient roles and departments in place to support agile GRC;
If these departments have the support and capabilities to work together towards GRC agility;
Any additional training or processes that might be added to execute agile GRC

Risk data-sharing in agile governance and compliance

The ability to centralize information and documentation is an important feature to consider in an agile GRC management software. This can be done with a flexible GRC software platform that has an information and technology architecture that’s configurable and offers access control. Doing so will allow your product owner to decide which members of specific teams have access to view and share risk or incident-related information.

By unifying your GRC system, your data capture and reporting are centralized, allowing for different departments to input and analyze data to create more impactful action plans. Doing so means better risk management for your organization while helping to create a proactive risk culture. Centralizing data also means that your team can make risk-based decisions with greater speed, accuracy, and efficiency because less time is spent determining where to locate information. An agile GRC software system allows data to be centralized and connected, which allows risk management teams to respond to threats quickly.

How Resolver enables GRC Agility

Resolver’s Risk Intelligence platform provides the foundation for the modernization of your entire GRC program. Designed by industry experts based on the latest best practices, Resolver enables GRC teams to connect their activities to business value and transform from “check-the-box” functions to trusted strategic advisors. With solutions that address enterprise risk management, compliance & ethics, internal audit, incident management, and internal controls over financial reporting (ICFR), Resolver has everything you need to turn risk data into business value.

Resolver enables GRC agility by providing a flexible and customizable platform that can adapt to changing business needs and regulatory requirements with simplicity and speed. Configure workflows and automate processes based on your specific needs. Quickly adapt to changes in your organization’s risk management processes, adjusting workflows as needed. Customizable reporting capabilities allow teams to generate reports at the push of a button. Resolver’s ERM software integrates with a wide range of third-party applications and data sources, making it easy for users to aggregate risk information from multiple systems and sources. Real-time alerts for incidents and changes in risk management status mean users can respond to new risks and regulatory changes as they happen, minimizing the impact on their organization. Resolver enables organizations to stay ahead of what’s ahead and effectively manage risk in a rapidly changing business environment.

Watch: An ERM product showcase to see Resolver’s ERM software in action.

While agile GRC can transform your team’s ability to deliver true risk intelligence to your organization, it’s just one part of a holistic GRC strategy. We’ve designed a Strategic GRC Capabilities Report to help start the conversation on improving and maturing your GRC processes and strategy. Our expert panel will guide you through thought-starters and actionable goals to help maximize your team’s efficiency, agility, and resiliency in 2023 and beyond.

Download our free report on the Top 5 Strategic GRC Capabilities now!

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
BIGipServersj13web-nginx-app_https	session	This cookie name is associated with the BIG-IP product suite from company F5. Usually associated with managing sessions on load balanced servers, to ensure user requests are routed consistently to the correct server. The common root is BIGipServer most commonly followed by a domain name, usually the one that it is hosted on, but not always.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
datadome	session	This is a security cookie set by Force24 to detect BOTS and malicious traffic.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
XSRF-TOKEN	6 months	This cookie is set by Wix and is used for security purposes.
_mkto_trk	2 years	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.
__cfruid	session	Cloudflare sets this cookie to identify trusted web traffic.
__resolver-ref	session	This cookie is set by Resolver to ensure visitors receive unique content after submitting a form on our website.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
sp_landing	1 day	The sp_landing is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
sp_t	1 year	The sp_t cookie is set by Spotify to implement audio content from Spotify on the website and also registers information on user interaction related to the audio content.
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.

Cookie	Duration	Description
ADRUM_BT1	past	This cookie is set by AppDynamics and is used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
ADRUM_BTa	past	This cookie is set by AppDynamics and used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.

Cookie	Duration	Description
ajs_anonymous_id	never	This cookie is set by Segment.io to check the number of ew and returning visitors to the website.
ajs_user_id	never	The cookie is set by Segment.io and is used to analyze how you use the website
CONSENT	16 years 2 months 17 days 10 hours	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
ln_or	1 day	Linkedin sets this cookie to registers statistical data on users' behaviour on the website for internal analytics.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_4655365_4	1 minute	Set by Google to distinguish users.
_gat_UA-4655365-4	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_ga_VCHH3SM1QW	2 years	This cookie is installed by Google Analytics.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_omappvp	11 years	The _omappvp cookie is set by OptinMonster to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie set by OptinMonster, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_uetsid	1 day	This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.

Cookie	Duration	Description
anj	3 months	AppNexus sets the anj cookie that contains data stating whether a cookie ID is synced with partners.
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
sa-user-id	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
sa-user-id-v2	1 year	StackAdapt sets this cookie as a Random Identifier for user identification, to display relevant advertisements.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps in differentiating between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_uetvid	1 year 24 days	This cookie is set by Bing to store and track visits across websites.