What are the big pitfalls to watch out for? What are the main ways in which implementing a GRC system could go wrong, and how should they be trying to avoid these?
Brandts: I would say, do not customise. Do not customise is rule number one. Another common pitfall is that if a customer has a 15-step process for our risk management or compliance process, for example, he tends to think he needs to automate all 15 steps. You need to pick the three or four that hurt the most. There will be a lot of manual processes that you could theoretically automate, but it’s probably going to hurt more than it’s going to help – focus on the things you definitely want to automate rather than on the entire process.
White: For me, the key is don’t lose sight of your stakeholders. Sometimes you become so engrossed in the programme that you lose sight of the fact that people have got to implement this on a day-to-day basis as well. You also have to remember that this is a tool. It is not the solution to all of your risk management and compliance needs. And it is also important to keep communicating to your stakeholders where you are. One of the worst things that can happen is you deliver a lower-quality product in twice the time that you said, and you have to keep aware of how the environment is changing. Sometimes projects become so insular that, by the time they have delivered, the business has moved on.
Could you comment on how the legal department should be involved in the implementation and roll-out of a GRC application?
White: Legal risk should be involved as much as any compliance department, especially when you consider there is so much overlap between legal and compliance. Sometimes either they don’t want to be involved or they are forgotten about, but they can bring a lot of structural thinking to a programme, so I would definitely include them.
Brandts: It is important to remember that the legal department has a different way of working. A control department has its rules and has a very process-driven way of working. The same reports need to be produced every month, every quarter, or every year. But if you look at the regulatory worlds, it is much more case-based, with specific new regulations and cases coming in. So you need to accommodate that.
Zirano: In our industry, we say align IT with business, but here it is important to align legal with business. Usually they are very distant from one another – people who are on the business side do not want to hear about the legal barriers or the constraints – but they could learn a lot from them, particularly when regulations are increasingly complex. The legal department knows what the risk of non-compliance means in financial terms.
White: Legal enable the business to make conscious risk decisions and that is what they bring to the table. One of the advantages of a GRC programme is you start to build a common risk language, and you also start to understand what is really going to hurt the organisation – whether it’s under audit, compliance, legal or risk management. It is part of the journey, which I know doesn’t help people when implementing things, and I hated it when it was said to me.