The Future of GRC Automation

If you’ve been around the governance, risk and compliance (GRC) space for a while, you likely remember the days when GRC workflows centered around manually collecting screenshots from a number of systems, filling out control statuses in spreadsheets, and hoping you’re ready for your next audit(s).

Those days are gone – or at least, they should be by now. Over the past several years, a plethora of new and exciting capabilities to support our GRC journeys have become available that help all of us meet compliance requirements and accelerate risk treatment plan initiatives with a new level of unprecedented efficiency and accuracy.

Yet, if you look around the GRC space, you’ll notice that many organizations are still doing GRC the “old” way. They’re not taking full advantage of the new and exciting GRC technological advancements and capabilities that have continue to support our GRC programs in ways we’ve never seen before.

With all of this available today, why do enterprises sometimes struggle to embrace positive change in the realm of GRC? And what can they do to overcome the barriers to GRC innovation?

As someone who spends a lot of time helping businesses modernize their GRC strategies, I have several thoughts on this topic, and want to share just how much the GRC ecosystem has changed in recent years due to this next generation of GRC platform, and what organizations can do to benefit from those advancements.

Advancements in GRC technology

The driving force behind most of these GRC innovations that we’ve seen over the past several years is attributed to the addition of automation to collect, review, opine, and report on compliance with applicable standards, frameworks, and regulations. These GRC platforms now make it easier than ever to automate processes that historically required vast amounts of time and manual effort that only yielded a limited scope of assurance through sampled reviews compared to the full population assessments supported today.

That automation comes in a multitude of forms. Key examples include the following:

• • Automated GRC data collection: Modern GRC automations make it possible to programmatically pull data from source systems using APIs in real time or on a scheduled cadence. Instead of having to import data from spreadsheets, you can now integrate GRC software directly with source systems and collect evidence of compliance as soon as it appears at the source.
  • Automated control tests: Rather than having to examine evidence and compare it to controls manually, GRC software now allows you to configure control tests that automatically compare evidence to predefined expected control criteria. As a result, these automated control tests can discover control operating effectiveness deviations faster and with less effort.
  • Automated vendor risk management: In the past, analyzing third-party risks required sometimes setting up a meeting or sending an email, requesting compliance artifacts and evidence, and reviewing these manually. Today’s GRC automation can automate much of this process by identifying which types of evidence a business needs from its vendors and collecting it automatically. In some cases, with well-trained AI models, platforms are now able to summarize the results of these artifacts against known good practices and expectations for a GRC team member to review and double-click on any call-outs or deviations.
  • Automated policy enforcement: Historically, GRC workflows centered on performing internal assessment against policies and standards,  triggering a manual response to review evidence and correct any identified findings. Now, it’s possible to automate corrective actions in many cases. For instance, if your GRC software detects a user with excess access privileges, it may be able to integrate with access control software to revoke the unnecessary access rights automatically against pre-defined, approved role-based provisioning expectations.

• Using AI to assess compliance against new frameworks and framework revisions. AI can streamline the assessment of compliance against new or revised frameworks by automating gap analysis, mapping requirements to existing internal controls, and flagging areas of non-compliance. Using natural language processing, AI can interpret regulatory text and compare it against existing policies, controls, procedures, recent automated control test results, and system documentation, and draft a list of gaps and associated remediation plans or policy updates aligned to new or added requirements. This accelerates compliance workflows, reduces manual effort, and ensures faster adaptation to new and continuously evolving standards that puts added pressure on our GRC teams.

Examples like these highlight the ways in which the evolution of GRC tools has made GRC processes faster and more efficient. Just as importantly, it has freed up human GRC staff to focus energy on more creative and productive work, like redesigning and optimizing processes in ways that reduce risk, instead of spending the bulk of their time on tedious, repetitive processes like manual evidence collection. More than ever before, we’re able to also reduce the amount of anxiety associated with instances of non-compliance, close calls and surprise findings during internal or external assessments, and/or risks becoming reality.

Taking advantage of GRC automation

Just because GRC innovations like those described above are now available doesn’t mean all businesses are benefiting from them. Too often, I encounter companies that continue to approach GRC as a manual, slow-moving process.

The biggest barrier, perhaps, is that organizational change management and adopting new capabilities can be a challenge – and the larger the organization, the harder it is to embrace a “new” way of doing things. Indeed, this is likely why smaller, newer companies tend to be the ones at the forefront of taking advantage of modern GRC automation. Large enterprises with deeply entrenched “legacy” GRC processes or overly inundated with complex systems and processes are often much slower to adapt.

Cost concerns are another understandable challenge. Businesses may be hesitant to invest in new GRC tools, especially if the investment yields only a gradual return. The sunk costs already spent on internal team members and custom-built internal monitoring systems make new investments to replace these systems are also a hard pill to swallow.

I also encounter businesses that are hesitant to make GRC changes because they believe the processes they already have in place work well enough. Existing manual efforts seem to continue to pass audits, and the financial resources they devote to GRC staffing and evidence collection are reasonable, so they don’t see a reason to change things up. Of course, what they’re overlooking is that a more modern approach to GRC could help them unlock more value by reducing audit failure risks further and streamlining processes like evidence collection. They also need to progress beyond just “passing the audit” and resting on the laurels of their auditors’ standards into focusing on taking their GRC program to the next level of reducing risks, reducing manual burdens, and optimizing key processes.

To companies struggling to embrace GRC change, consider the following:

• Rethink GRC: Historically, businesses have tended to think of GRC as an obligation to meet – and as long as they met it, they were not inclined to make changes. The reality is that the GRC space is also an opportunity for building and maintaining the trust of customers, turning GRC into a business enabler and revenue unlocker, all while creating new efficiencies. Just because your current GRC processes are working (in the sense that you’re passing most of your audits) doesn’t mean they’re working as efficiently or effectively as they could with the benefit of automation solutions.
• Embrace risk to solve risks: There is risk associated with deploying any type of new technology, and GRC automation software is no exception. There’s a chance that an evidence collection capability won’t work as well as expected, for instance. However, it’s only by taking this risk and experimenting with novel GRC tools that businesses can work toward the greater goal of managing enterprise-wide risks more effectively.
• Automate where it matters most: Some GRC automations deliver more value than others, and most businesses lack the resources to automate all aspects of GRC overnight. To kick off a GRC modernization project, it’s important to invest in automations that yield the greatest benefit over a short time span. When you can demonstrate some quick wins for automation, it’s easier to get buy-in for additional GRC investments.
• Get your auditors onboard: It’s a stereotype that auditors don’t like routine, never-changing processes – and this breeds an assumption that they will frown upon new, automated approaches to evidence collection or analysis. But the reality is that GRC automations can benefit auditors in many ways, too. Businesses should reach out to auditors and ask how GRC automations might benefit both the organization and those responsible for auditing it.

The bottom line: GRC no longer has to be a slow, tedious, resource-intensive process cluttered with spreadsheets, screen shots, shared folders, and sampled control tests. Technology has made it possible to approach GRC from an entirely new angle. However, actually taking the leap to embrace modern GRC automations requires overcoming barriers to change and rethinking traditional approaches to GRC. Businesses no longer can afford to wait to jump into the future of GRC in order to benefit from today’s GRC platforms – the time is now to make the changes to the traditional GRC mindset and reap the benefits provided by capable GRC platforms available today.

By Matt Hillary