GRC Agility: Why It Matters and How to Build an Agile GRC Strategy

April 29, 2022 · READ

A modern business without an agile GRC program is like the Titanic. It’s an interconnected risk environment that’s bound to sink should several connected operations malfunction at once. It’s impossible to create a completely risk-free environment. However, a healthy governance, risk, and compliance (GRC) program enables you to spot and address proverbial icebergs in the water before they become a significant risk event, and GRC agility provides teams with tools to move faster.

Defined by OCEG as the capability that lets organizations “reliably achieve objectives, address uncertainty, and act with integrity,” GRC’s rigid structure once made it effective in meeting known risks. But as global risk events become more sophisticated and complex, new frameworks are needed to address them. Enter a new approach: agile GRC. While traditional GRC focuses on resiliency and quick, effective incident response, agile GRC’s goal is to anticipate incidents before they take place.

You empower your company to understand current, interconnected risks and to anticipate future ones when you move from a historical GRC approach to an agile one. Resolver’s Ryan Napoleone sat down with Michael Rasmussen, expert GRC analyst at GRC 20/20, to discuss the potential roadblocks keeping companies from pursuing agile GRC and learn some practical steps to build an agile GRC strategy.

What’s Holding Companies Back From Agile GRC?

An agile approach is becoming more popular in the GRC world. However, many companies are wary of transitioning from historical GRC to agile GRC despite its proactivity in today’s advanced risk environment. (Read our full definition of agile GRC here.)

Rasmussen sees this disconnect falling under one of three primary GRC fallacies:

  • There’s no way to know the true business impact of risk
  • Risk can’t be a business driver
  • There’s no way to prioritize and prepare for unknown risks
Screen shot 2022-04-15 at 3. 42. 33 pm. Png
Image caption: Above is a visual representation of the three common GRC fallacies and implementation examples.
Image source:

In actuality, an agile GRC program addresses all three of these pain points and offers advantages, too. First, proactive GRC makes it easier to quantify risk. It uses new advancements (like auditing software AI) to analyze past and current risks better and build a strategy that avoids the mistakes others make.

It tackles the second fallacy by making risk a motivator since more agile GRC results in better risk management and fewer risk events. The advantages of proactive agile GRC reveal the potential consequences you might experience without it—like siloing, ineffective communications, and slow response.

Finally, GRC agility lets you accurately prioritize and prepare for the future. It instantly sorts and analyzes the most current risk data, so you can form an aligned risk management strategy within GRC.

4 Ways to Move Toward an Agile GRC Strategy

The transition from a traditional GRC process to an agile one can feel overwhelming without a plan. Here are four steps to help your company make agility a core part of its GRC strategy.

1. Develop a big-picture plan

The current risk landscape is more crowded and uncertain than ever. A single risk event can quickly domino into a company-wide breach without a master GRC plan to help you navigate and control it.

The crucial first step in developing a strategic plan is to understand the current state of your company, operations, and GRC program. You can’t know what you have to improve without a thorough understanding of what’s working and what’s not. Internal audits, conversations with experienced team members, and surveys with stakeholders or customers can help paint an accurate picture of how effective your current GRC efforts are.

Once you have a good understanding of where your GRC program lacks agility or how it could be better implemented in your operations, you can determine where you want your GRC efforts to go. Rasmussen says, “once you understand your current state, you can then define what needs to change to get to your ideal state. If [that state is] out there two or three years from now, consider what roadmap or navigation is needed to move from the current state to that future state.” Consider setting new GRC goals or asking strategic questions to give you a starting point for that roadmap.

Here are a few questions to get you started as you thoughtfully consider your GRC strategy goals:

  • How could our company better share information across departments to synchronize GRC efforts?
  • What poor functions, processes, or systems might be disconnecting us from agile GRC?
  • Is there an accurate, synchronized view of risk across our company? If not, how can we establish one?

2. Get the right leaders on board with your agile GRC plan

More of today’s risk and compliance failures fall on the shoulders of company leaders who may be largely uninvolved in the actual events; look at Mark Zuckerberg and Facebook. Company leaders can’t advocate for agile GRC and share its advantages if they’re not on board and involved in the process.

Any transition takes time and effort to complete, but it’s even more challenging without key leadership supporting the shift. The chief ethics or compliance officer, the board of trustees, and the enterprise risk management team are key to your GRC transition. All three of these roles are held by people with influence who can advocate for agile GRC and support your continued efforts toward it. The CCO can inform changes in regulations and help work toward GRC strategy improvements. The board provides much-needed leadership and continued support for GRC improvements. Finally, your risk management team makes sure agile GRC works seamlessly with risk management to accomplish their mutual goal: minimizing and mitigating risk.

Rasmussen encourages keeping these questions in mind as you consider which people or roles can best support the team that will own your agile GRC process:

  • Does your company have sufficient roles and departments (such as those noted above) in place to support agile GRC?
  • Are these departments ready and equipped to work together toward GRC agility?
  • What additional training/execution would be needed to execute agile GRC?


3. Build an integrated technology architecture

An integrated technology architecture, where all your software connects with different apps or platforms, lets you accurately map internal and external data. This accuracy lets your team get one realistic picture of your risk and lets them work toward a united resolution when problems arise. It also minimizes mistakes, which are far more common if every operation or business function has its own siloed system or technology.

Rasmussen shares:

If you’re preparing to climb a mountain, you don’t just throw [all your gear] in a bag. You carefully select your equipment for the task. Can your technology architecture for information technology that you’re trying to achieve the GRC strategy? Can it execute and deliver on your final state? You wouldn’t want to get halfway up the mountain to head right back. It’s smarter to pack the right equipment in the first place.

A great starting point is to implement a common operating model (or how your company delivers value) to your tech stack. Random applications and complex software connected across multiple systems make it challenging to accomplish aligned business goals. A common operation model aligns apps and software on the same system, synchronizing and simplifying operations to create far more efficient technical workflows.

4. Make the agility transition in stages

You can’t immediately jump into perfect agile GRC alignment. Make the transition more achievable by creating realistic, front-line benchmark goals for your team. As they reach them, you can readjust your transitional benchmarks toward GRC agility. This way, if a risk event happens tomorrow, your team can be partially prepared. Doing some small things right is better than experiencing more unnecessary risk events while waiting for an overhaul.

At a minimum, include benchmarks around all four phases of the GRC process (preparation, selection, implementation, and utilization) as you outline your transition to agile GRC. For example, you can use audit performance and the time between risk events to identify common areas where compliance is a struggle so you can improve it. When selecting a GRC program or partner, knowing your budget, preferred vendor partnership style, and product nice-to-haves vs. must-haves will help you find your best-fit. Implementation benchmarks, like workflow and risk management, and compliance effectiveness provide assurance that your GRC program is doing its job well. And finally, benchmarking expectations for document management and vendor oversight ensure that you maintain GRC program delivery from end to end.

Build a Stronger GRC Strategy With Resolver

Experienced security professionals can help your team achieve a more robust GRC program by providing tools and integrations to get your agile GRC strategy up and running faster and more efficiently. At Resolver, our easy-to-use risk solutions and governance expertise empower us to assist you in transitioning to agile GRC. With Resolver, you’re not just buying a content library, you’ve also got a powerful, simply implemented tool, which notifies the right folks in the right departments as soon as regulation changes occur. Learn about the new agile GRC features in our 3.6 release.

Listen to the rest of our webinar on how to build an agile GRC program, or sign up to watch a 15-minute showcase to learn more about our risk management solutions.