Governance, Risk and Compliance

What is Agile GRC? How Risk Teams Can Move Faster

By now, you may have heard the term “agile” mentioned in a boardroom, on LinkedIn, or maybe on a tech blog. While dictionary definitions vary a tad, they generally lead back to “the ability to move quickly.” Since the creation and widespread adoption of the Manifesto for Agile Software Development in 2001,  it’s no surprise that the philosophy behind this framework quickly expanded beyond software and product teams. Agile focuses on a “progress over perfection” mindset, valuing rapid and continuous improvement with customer feedback at its core.

At Resolver, we equip our customers with the capability to respond quickly and effectively to security, risk, and compliance challenges impacting today’s operations and tomorrow’s opportunities. So we’ve added agile GRC capabilities to our 3.6 release, specifically for GRC teams looking to improve their existing risk assessment processes, to derive true risk intelligence and transform it into meaningful business value while moving faster.

We were fortunate to have Michael Rasmussen of GRC 20/20 on hand to share knowledge over an informative webinar with our own GRC Product Manager, Ryan Napoleone: How to Build an Agile GRC Program, hosted by our partners at OCEG. Here are some key takeaways on building GRC Agility in your organization.

What is GRC: A quick review

GRC is a collective term covering Governance, Risk, and Compliance. According to Rasmussen, many companies aren’t truly aware of, nor do they have a clear view of their overall risk profile and how it impacts business operations and processes. He sees risk as interdependent and interconnected, with the potential to impact the organization at all levels. Developing a GRC program and creating a risk culture with buy-in across your organization is vital to continuously protecting the business from a significant risk event.

Governance sets direction and strategy for the organization to achieve objectives reliably. “Governance sets the context for risk management, and without context, risk management fails,” says Rasmussen.

Risk Management seeks to manage and understand uncertainty by identifying, assessing, and monitoring risk within context to act on risk through acceptance, avoidance, mitigation, or transfer.

Compliance aims to see that the organization acts with integrity in fulfilling its regulatory, contractual, and self-imposed obligations and values. “It’s like a three-legged stool,” explains Rasmussen, “You just take one of those legs away, and it doesn’t work. A good organization needs Governance, Risk, and Compliance together because they depend upon each other to deliver agility in the modern enterprise.”

What is GRC Agility?

GRC agility is the ability of organizations to adapt, pivot, and move quickly to address external and internal risk factors. For example, the global Covid-19 pandemic brought forth many risks that individuals and businesses had to respond to with speed. GRC agility allows an organization to quickly and effectively adapt to a complex and changing landscape in governance, risk, and compliance. With GRC agility, the focus is on organizational alignment, process optimization supported by technology, and having changes to content reflected rapidly, so you’re working with up-to-date data.

OCEG’s GRC Capability Model: A framework for Agile GRC

OCEG’s GRC Capability Model offers a four-point framework: Learn-Align-Perform-Review.

Learn: In the Learn phase of an agile GRC framework, teams take external and internal information and context, weighing it against organizational culture and stakeholder objectives to understand what risk factors need to be addressed. Does your team understand what leaves the organization vulnerable? What metrics can help demonstrate success or areas where improvement is necessary?

Align: Once the research and analysis phase are complete, teams can then work to align on objectives, direction, prioritization, KPIs, and overall design of risk management programs.

Perform: The Perform phase puts the learning and the aligned plan into action through:

  • Controls
  • Policies
  • Communication
  • Education
  • Incentives
  • Notification
  • Inquiry
  • Response

Review: In the Review phase, careful monitoring and assessment of data, systems, plans, and processes leads to discussions on improvements to be made, and then the learning phase begins all over again.

Transforming GRC Chaos into GRC Agility

The current problem on many GRC teams is what Rasmussen coins “GRC chaos,” where inefficiencies such as time-consuming processes cause teams to be reactive, operating in “triage mode.” These teams cannot scale, are often behind where they want to be and suffer considerable and critical resource constraints. Documentation is sparse or disparate, with teams relying on spreadsheets—if they document things at all. This lack of consistency and discipline creates an unsustainable structure, frustrates employees, and leaves companies at significant risk.

“A lot of organizations have what I call the inevitability of failure: a lot of manual processes, documents, spreadsheets, and emails,” says Rasmussen. Rasmussen references a firm pulling together a compliance report for its board of directors annually, spending 200 hours “consolidating, aggregating, and tabulating information from thousands of documents, spreadsheets, and emails,” only to learn that they have a compliance issue that started 11 months prior. “That’s not managing risks; That’s reacting to risk,” cautions Rasmussen. Many organizations spend 80% of their time managing documents instead of managing risk.

Rasmussen highlights new directions in GRC management to enable enterprise agility. In the past, “risk” was really about “hazard and harm.” But the future, predicts Rasmussen, is in “being able to see across risks in the organization, map them to objectives and have risk as an effective tool to enable business performance strategy.” Organizations need to focus on agility, resiliency, and integrity, Rasmussen explains, to predict, avoid and rebound from risk effectively.

Rasmussen stresses the need to provide for collaboration, getting different departments to work together on a GRC strategy to enable enterprise agility. His formula is simple: Clearly define roles and responsibilities, and support those working on risk through strategy and processes for risk identification, risk assessment, risk treatment, and monitoring. And centralize information and documentation through a GRC management information and technology architecture.

How Risk Intelligence technology can empower Agile GRC

“Risk models never accurately represent the real world,” says Rasmussen. “There are only so many inputs and variables that can go into a model. And the real world is so complex that models don’t perfectly represent it.” Recommending a combo of right-brained creative and imaginative thinking about risk and a left-brained logic and data approach, Rasmussen recommends a solid risk management information and technology architecture like Resolver, “that provides 360-degree contextual intelligence” to be able to view risks holistically and in an instant.

Risk Intelligence technology allows teams to “identify what impacts the organization and change data points, integrate and map, gather, analyze, understand relationships and build out action items.” Additional benefits include risk automation and tracking, delivering managed reports at a press of a button, a strong audit trail, and a system of record on risk activities, workflow, and task management to prevent risks from slipping through the cracks. Risk management software solutions also encourage greater collaboration, “not just for the back office of risk management, the second- and third-line functions, but also the first line. The front office can engage in risk,” says Rasmussen.

Risk management teams should look for a solution that is “highly configurable, scalable, adaptable, can integrate other systems, and can provide analytics,” suggests Rasmussen. Your risk intelligence software should also feature cognitive GRC technologies such as artificial intelligence, robotic process automation, and — in his signature brand of plain-speak — “doesn’t break on upgrades.” Rasmussen cautions against legacy solutions that need continuous band-aid solutions to keep up with your business. “There’s a new generation of technology—like the latest version of Resolver—out there that is highly usable, lowers the total cost of ownership, and is highly configurable.”

How do we make GRC more efficient, effective, and agile?

Resolver delivers this on our proprietary, no-code, easy to use platform. One of the critical elements of an Agile GRC program is configurability and flexibility. Resolver provides the tools and technical capabilities that drive our out-of-the-box applications, based on industry best practices, to support multiple risk functions. This includes drag-and-drop form builders, a powerful workflow engine, and the ability to design custom reports. For each customer, we tailor the experience in the applications for your unique needs during implementation and throughout the span of your partnership with Resolver. We deliver this all with creativity, collaboration, and flexibility to enable the platform to fully unlock the abilities of your teams.

This combination of powerful underlying technology, industry best practices, and overall flexibility of the platform is how we fuel both agile and resilient organizations. “Our platform represents Resolver’s mission of helping organizations amalgamate risk information from across the business to deliver their strategic insights, ultimately transforming Risk Management into Risk Intelligence,” says Ryan Napoleone, Resolver’s GRC Product Manager. Book a demo today and let us show you how we can simplify your processes around Risk Intelligence!