Entrance
The universe of risk is growing and becoming increasingly complex for organizations to manage. Threats from within the organization are being combined with new risk areas such as environmental, social and governance (ESG) as well as third-party risk. Complicating this growing risk landscape is a rapidly changing regulatory environment, the need for continuous data ingestion, and requirements to verify organizational performance. Today, a modern approach to risk management includes not only the effective management of risk from a defensive perspective, but also the ability to use risk as a competitive advantage based on the increased likelihood of success of strategic initiatives. However, organizational ability to achieve this level of risk management varies greatly. A key differentiator in organizations’ ability to address risk is the adoption of Governance Risk and Compliance (GRC) Platforms that offer advanced features. IDC classifies companies according to their progress toward GRC implementation, from those in the early stages of GRC adoption to those that are leaders or have deeply integrated GRC throughout the organization. Investigating how mature GRC companies address risk and adapt the tools and capabilities that enable successful risk management, and establishing this as the gold standard, provides guidance to these companies early in the journey.
The Path to GRC Maturity
Defining GRC Maturity
What is the hallmark of a mature GRC company? GRC maturity is a function of how companies fundamentally approach risk management. Are risks addressed in an ad hoc manner driven by crisis response, or is risk management proactively designed to support larger organizational strategies? Mature GRC organizations have the following characteristics:
- High level of C-level and senior management involvement with GRC
- Risk management compatible with quantitative, strategy and performance management
- Prescriptive and predictive risk management
- Broad involvement across the distributed operation, including first line of defense and services to key suppliers and vendors
GRC Behaviors: Maturity Affects Perception and Adoption of GRC Capabilities
GRC maturity in an organization is determined by both how the organization prioritizes risk conceptually and how it manages risk tactically. Conceptualization basically defines implementation. Organizations with high levels of C-level management involvement have closely aligned risk with organizational strategy and a prescriptive approach to risk management, and are much more likely to have GRC-specific tools to support these initiatives.
While GRC laggards often rely on Excel or data visualization software to monitor risk and compliance, leaders have invested in the specific GRC management platforms necessary to effectively manage and respond to risk and compliance issues as they arise. IDC research shows that GRC leaders are characterized by an expanding GRC program driven by higher investment levels and accelerating spending growth. Just as risk is not static, mature GRC organizations do not take a static approach to risk management. These organizations view risk management as an ever-expanding effort and therefore will not only invest more in existing capabilities than delays, but will also continue to invest in advanced GRC management technologies (see Figure 1).
FIGURE 1: Comparison of Leaders and Laggards in GRC Spending
More Mature Organizations Have Greater Adoption and Perception of Need for GRC Capabilities
One component of leaders’ investment in GRC is in implementing advanced capabilities. True to the nature of these institutions, leaders are much more likely to support the use of these tools (see Figure 2). In an IDC survey, participants were asked about their perceived need for GRC capabilities and their implementation status. According to the survey, GRC leaders are well ahead of laggards in rating automation and intelligence features as important.
Mature organizations that perceive value in risk management and invest in GRC platforms also perceive the value of maximizing these tools through the implementation of advanced features. Like many other technologies, by leveraging GRC and tools that integrate data and automate processes, organizations can take their risk and compliance programs to the next level. GRC leaders understand the importance of maximizing the capabilities of GRC platforms.
FIGURE 2: Advanced GRC Talent Priorities
Benefits
The distinction between leaders and laggards is the use of purpose-built GRC platforms that include advanced GRC capabilities. What are the specific capabilities in which mature GRC organizations invest? Above all, organizations are looking for talent that frees up labor-intensive processes:
- Enhanced usability including frontline interface, dashboards and reporting features. Supporting an engaging user experience that simplifies data collection and capture can have a significant impact on the quality of an organization’s risk management. If critical risk data is captured at the time of the incident, a company can better assess its risk profile and mitigate potential threats. Supporting more complete capture of risk data is the ability to effectively process the captured information. Usability also speaks to the power of the organization to quickly visualize and report on its risk posture. Comprehensive dashboards allow organizations to identify current and emerging risk areas and organize information. This structure provides streamlined reporting by automatically populating risk metrics into pre-configured report templates, making planned and ad-hoc reporting requirements much less labor-intensive.
- Automation to remove manual tasks, increase consistency, and reduce errors: Manually driven risk and compliance monitoring is a significant resource drain and prone to errors and inefficiencies. Mature GRC organizations collect data and conduct risk assessments on a daily, if not continuous, basis. Incorporating automation features, including AI/chatbot support and workflow capabilities, is critical to effectively manage this information intake. Automation features also increase the consistency of the collection and reduce the incidence of errors.
- API/system integration to consolidate the right data in a single location: Another critical advanced GRC capability is integration, driven by the need for efficiency and effectiveness. Mature GRC organizations are looking for solutions that integrate with existing enterprise applications and systems. API integrations enable GRC platforms to source information from existing applications and store data in one central repository. This simplifies the data ingestion process and enables information to be shared across the organization. Additionally, integration with IT/security systems supports the capture of accurate asset, compliance and risk data.
- Risk measurement to determine risk priorities to be corrected: Risk quantification is becoming increasingly important because both the risk environment and risk diversity are increasing. While many GRC platforms rank risk in a green/yellow/red matrix, organizations are looking for more specificity in risk ranking. Organizations struggle to make informed risk decisions based on their overall risk rankings and seek guidance such as being able to assign a monetary metric to specific risks. By tying costs to risk, companies can better prioritize risk remediation efforts and turn data into action. Other risk measurement methods that are beginning to emerge include Monte Carlo and bowtie simulations, but adoption of these methodologies currently remains relatively low even among mature GRC organizations. However, organizations are investing in upgrading their risk measurement capabilities. While matrix quantification has been the de facto standard for risk analysis in years past, there will be a major shift to more advanced risk quantification methodologies. IDC predicts that organizations will improve their risk measurement capabilities over the next one to three years. Initially, companies will replace matrix-based analysis with monetary impact methodology. Monetary impact risk analysis provides a clear definition of the potential cost of various risks and helps guide C-level and board discussions around risk prioritization and improvement investment. Monte Carlo and “bow-tie” analysis tools represent the most advanced state of quantification, which is likely to replace monetary impact analysis within a few years as organizational maturity improves (see Table 1).
TABLE 1: Evolution of Risk Measurement Maturity (% of respondents) Question: How does your organization primarily measure risk today? Next year? In the next three years?
Challenges
According to a recent IDC survey, 34% of US organizations continue to use non-GRC-specific software, such as spreadsheets or project management software (source: IDC’s Governance, Risk and Compliance (GRC) Maturity Score Survey, November 2021, n = 206). Growth in the GRC market is challenged by both funding constraints and misperceptions surrounding risk and compliance management. Investment in the transformation of content workflows may be competing with other business priorities within these organizations, but risk and compliance management solutions will certainly contribute to an organization’s perception of trust. However, understanding the importance of maintaining trust as an organization and the role of GRC software solutions in ensuring that trust is a challenge. Many organizations with very rudimentary applications see themselves as innovators in risk management, highlighting the need to better inform the market about what GRC maturity actually looks like.
Organizations that implement advanced GRC capabilities benefit from their investments through reduced risk and improved competitive capabilities across multiple metrics.
Conclusion
Organizations that implement advanced GRC capabilities benefit from their investments through reduced risk and improved competitive capabilities across multiple metrics. IDC believes the market will increasingly require robust GRC platforms that include advanced automation and intelligence features. Given the ability to deliver these modern capabilities when appropriate solutions are selected, companies have a significant opportunity for success.