The core functionality of GRC has evolved in response to the need for a standardized and centralized data and process management structure supporting compliance and risk management functions in light of increasing complexity in both activities. As GRC further evolves into an enterprise platform, these capabilities cease to be solution differentiators, although they are no less needed. Rather, the increasing number and diversity of stakeholders that provide, access, and apply risk and compliance data within an organization have created new functional demands on GRC that impact the value that it contributes to the organization.
Compliance and risk management are arguably unique among enterprise functions in that they are primarily concerned with overseeing and acting upon all other aspects of the business. Stakeholders within these functions are thus responsible for understanding the exposures that cross this organization, and ensuring that stakeholders take appropriate actions in mitigation and control. Traditionally, GRC implementations have focused on supporting these roles. However, the owners of each of the individual risks or requirements are essential players in the organization’s overall risk and compliance strategies. Similarly, increasing director sensitivity to risk and compliance management efforts has created demand for deeper insight into these activities connected to business context and consequence.
“When I talk about the real benefit, it’s never in terms of the costs in people versus the tool. It’s always about the output: ‘what are we going to get out of the tool?’ The best thing for a risk organization is to have a comprehensive data, in near real-time. If you understand your risk profile, you make better decisions.” – VP of Operational Risk Community Bank
As an enterprise audience for GRC, each of these individuals need to understand how their priorities and activities relate to an overall risk profile, the processes that they are responsible for, and how other operations affect their position.
Figure 2: Distribution of GRC Reporting and Process Management Stakeholders
The requirements that this creates for GRC have less to do with operational efficiency or data management than the tailoring of risk information to particular stakeholders, and the automation of data interpretation to give it meaning within the various operations and viewpoints of the organization. In other words, if we consider core GRC functionality as providing an essential framework of information management, then emerging differentiators fall to functionality that help present that framework to individual stakeholders within the organization.
The following sections identify four major sources of this differentiation that have emerged in the maturation of enterprise GRC:
- Support for use case context rather than general data management
- The evolution of business intelligence analytics in the place of basic reporting
- Visualization in the presentation of compliance and risk information
- Configurability in workflow management as an alternative to customization
Personalization of Use Cases for Data Management and Delivery
Risk management and compliance management represent Big Data problems with multiple overlapping information types, sources, and applications. In addition to the complexity of the information itself, the array of stakeholders inside and outside of compliance and risk departments who provide and apply this information, as well as manage and execute the related processes, can be vast as well.
USE CASE PERSONALIZATION Enterprise GRC is a large data store with a diverse set of users. The degree to which each user’s interface can be personalized offers a significant impact on efficiency and ease of use
By and large, GRC providers have focused on supporting this environment by providing a centralized process and data management platform for risk and compliance. While this “single source of truth” is crucial to help an organization obtain consistent and meaningful insight into its performance across the enterprise, few individuals within the organization require access to the entire array of information managed.
Rather, each stakeholder typically only needs to interact with the information pertaining to his or her functional area, owned risks, or next steps for completion. This is particularly true for line-of-business stakeholders and risk owners that lack familiarity with risk management processes and data needs. However, the same can be true within compliance and risk departments, where specialization (particularly among the various categories of enterprise risk, such as IT, operational, or financial risk) also constrains the information required. In all of these situations, excess data serves only as noise, preventing the individual stakeholder from efficiently and effectively tending to the aspect of enterprise performance within his or her control.
Despite this, most GRC solutions, in providing a “single source of the truth,” also provide only a single, data-orientated view of compliance and risk management. Even where providers supply persona-based access to GRC, it often serves to constrain the scope of data and tools that the user may access, rather than alter the fundamental presentation of the data. By contrast, a use case-oriented application provides the ability to tailor the user interface of the GRC solution to particular roles or individuals within the organization.
The goal in a use case-tailored view of GRC is to adapt the presentation of enterprise data to the individual user’s needs. This ensures that each user has access to only the information that he or she needs, in the context of his or her workflows. This ultimately serves to improve the efficiency and effectiveness of individual stakeholders, as they can only obtain information that pertains to them, often in the context of the individual’s workflows. Perhaps counterintuitively, this can result in a broader appreciation of outside risks and business operations that relate to the stakeholder’s responsibilities, once the noise imposed by irrelevant data is removed.
Figure 3: Comparison of Data Centric and Use Case Views
“We needed to put senior management, risk management experts, and audit management in one environment. We needed risk owners to be able to update data in a quick and timely fashion so that we can provide leadership with the information that it needs. We did not want the tool to be the roadblock, so it had to present as a very simple user platform for anyone that needed it.” – Chief Risk Officer North American Utilities Provider
Table 2 summarizes the potential benefits that the adaption of data management to specific use cases and stakeholder contexts over a “data-centric” view, as well as factors to consider as organizations evaluate how GRC solutions provide for this need.