New Ways of Thinking about GRC Strategy, Part 2
October 7, 2021
By Darron Dunn, VP of Client Development and Operations
In conversations with our clients, we are finding that today’s governance, risk and compliance (GRC) pros are incredibly adept at making small changes for big impact. What follows is a behind-the-scenes look at some of those talks, including how we advise GRC leaders to continue marching down the path to process innovation.
Getting in the Cloud to Keep on Firm Ground
Today’s examiners want to see evidence that an organization is actively monitoring its policies and procedures. This is likely due to the fast-moving nature of our current landscape. Simply put, contemporary regulators have little-to-no tolerance for set-it-and-forget-it policies.
This is for good reason. Policies and procedures are the foundation of sound GRC. That foundation can weaken over time if it is not regularly inspected and reinforced for a changing environment.
Examiners are (as of today, anyway) human beings. They understand there will be hits and misses. The biggest thing is to be able to demonstrate a good faith effort to stay on track with internal reviews on at least an annual basis. Examiners want to be able to trace a policy and its associated procedures through its yearly check-up. They are interested to see, as well, which individuals signed off on which pieces.
Attempting this kind of intense record-keeping via manual methods, such as email and spreadsheets, quickly becomes overwhelming, particularly for growing, diversifying and innovating organizations.
Much of our advice to GRC pros struggling to keep up with active policy management – and the reporting of that management – has centered on automation software. New, surprisingly accessible, cloud-based solutions, including that delivered by ViClarity, create affordable, workable ways to eliminate the hassle of tracking down responsible parties and keeping reviews moving on schedule.
What’s more, examiners love the audit trail produced by automation software. It all comes back to demonstrating your group’s good faith effort to update policies regularly and to validate the activity.
Virtual Sit-Downs Enables Stand-Up Governance
COVID-19 has presented something of an additional twist to policy management, however. Some organizations were forced to make on-the-fly decisions to support stakeholders through different circumstances, from remote work to loan modifications. Examiners, especially in the financial industry, are showing great interest in this area, asking for evidence that expedited practices have been documented, and if they are sticking around for the long-term, incorporated fully into written policies and procedures.
Here again, automation software can be a great help to tracking down, monitoring and incorporating policy changes brought on by the pandemic. Another process tweak to consider, however, is regular touch-bases with leaders of different business units to investigate any adjustments they have made in response to the global crisis.
While some of these leaders may be compliance-oriented, given the natures of their functions, others may not be thinking with a GRC mindset. “Sitting down” with these individuals quarterly (or more frequently during chaotic times) is arguably easier now than ever given the rise of virtual conferencing and comfort with connecting remotely.
Strategically Thinning the Vendor Herd
The explosive growth of third-party partnerships is a consistent challenge cited by nearly every one of our clients in recent years. Regardless of the industry, stakeholder expectations are changing alongside digital transformation and other market responses. Meeting those expectations in a timely fashion often requires organizations to partner with firms that have expertise or core competencies in vastly different areas.
A best practice we’ve shared with clients struggling to keep an overwhelming number of vendor contracts current is to look for strategic opportunities to thin the herd. A decades-old partnership may have made sense when it was first cemented, but has less value now in a vastly different world. Encourage department heads to join you in reevaluating vendor partnerships regularly so that buy-in for making necessary (but perhaps painful) relationship changes is made simpler.
This is just one way GRC teams can prove their strategic worth beyond compliance and begin to carve out a much more meaningful purpose. Keep checking back for more process tweaks to enhance your team’s value within the organization.
In case you missed the first blog in the series, read it by clicking here.
Services performed by ViClarity are compliance and not legal in nature, and do not form an attorney-client relationship or any of the protections attendant to the attorney-client relationship.