Exploring Six Critical Challenges to GRC Implementation

Governance, risk, and compliance (GRC) refers to an integrated set of capabilities that enables an organization to achieve principled performance. The acronym was introduced in 2002 by the Open Compliance and Ethics Group (OCEG). In 2007, the International Journal of Disclosure and Governance peer-reviewed the term. In today’s digital age, the definition of GRC has broadened and includes software features that enable enterprises to implement a comprehensive GRC approach.  

Our previous blog, GRC 101, provided a beginner’s playbook on the concept. This blog will uncover six common impediments to defining, implementing, and aligning a GRC framework to an enterprise’s business, operational, and tech endeavors.    

1. GRC Concept and Context Complexity:  

An age-old challenge for organizations and their risk and compliance leaders is grasping the changing regulatory and compliance requirements for defining a watertight GRC strategy. This also includes aligning the risk and compliance activities of departments in the governance, human resources, IT, audit, security, finance, and legal teams.  

The enormity of the GRC concept and lack of contextual awareness can divide teams and stakeholders with varied expectations and the establishment of counter-productive GRC objectives.  

For example, business leaders’ moral convictions regarding hiring and management practices may not necessarily align with their product components and raw material supply chain governance. Similarly, the operational and support team’s risk awareness and actions may not fully encapsulate the organization’s cybersecurity risk posture.   

Moreover, GRC solutions and strategies are not just plug-and-play tools. They need analysis groundwork on the organization’s security and controls design methodology, stakeholder expectations, IT and technology maturity, auditability of business operations, values, opportunities, and culture. Once a business decides on a common approach to GRC, it requires bringing the right people with the right information at the right time and using the right actions and controls to act with integrity.   

IBM OpenPages with Watson helps overcome this hurdle by empowering organizations with a fully unified, smarter GRC environment.  

2. Risk, Regulatory, and Industry Volatility 

According to the World Economic Forum’s Global Risk Report, based on the recent political, economic, and climate trajectories, 41.8% of its respondents believe that the world will be under consistent volatility over the next three years. The geopolitical events, recent leaps in digitization and AI democratization, and growing cybersecurity vulnerabilities amplify risks, necessitating regulatory vigilance and countermeasures with active governance and compliance.  

Adapting to emerging regulations and law updates takes time to absorb and implement changes with confidence to demonstrate trust and transparency with customers, workforce, third parties, regulators, and shareholders. 

Additionally, the interconnectedness and complexity of modern-day risks complicate understanding and building governance guidelines, technology integration, and concluding all external and internal factors into GRC objectives. 

3. Leaders’ Attitudes towards GRC: 

Leadership teams play a driving role in steering the organization in the right direction with successful GRC tool and framework implementation. This also includes setting the right priorities, hiring the right GRC experts, understanding regulatory prerequisites, selecting GRC tools, establishing change management practices, and defining the GRC process roadmap.  

The board’s familiarity with the enterprise’s operational health, risk resilience, internal structures, and understanding of governance compliance and the governance ecosystem is pivotal to establishing ethos and commitment to GRC initiatives.    

According to the 2023 Thomson Reuters Risk & Compliance Survey Report, the lack of knowledgeable personnel, insufficient resources, and poor company culture are the top three detractors to a team’s confidence in addressing compliance risks.  Research findings from the Cost of Compliance report also state that compliance leaders have an increasing role in implementing compliant culture (58%), setting risk appetite (51%), and measuring the effectiveness of corporate governance approaches (48%).  

If the organization’s culture and leadership view GRC as a secondary goal, there are high chances of process inconsistencies, data inaccuracies, wrong GRC platform selection, prolonged implementation cycles, over-expenditure, and workflow redundancies.  

4. Siloed Org Structure: 

No team or department can study and understand risk and compliance vulnerabilities in isolation. Today’s interconnected organizational structures and environments leave little room for siloed operations or data. When data insights and best practices are buried too deep across teams and cut off from the rest of the ecosystem, it hampers organizational visibility into practices, potential risks, compliance breaches, and effort duplication. It prevents having a centralized approach to GRC where people, processes, and technologies are integrated to respond to the dynamic GRC needs  

Explore how IBM OpenPages with Watson helps consolidate disparate GRC systems and solutions and helps centralize risk management functions in a siloed environment.  

5. Poor Implementation Practices: 

Defining the scope and proper implementation methodology impacts the success of GRC platform adoption and optimization. It takes time and assessment to decide if a phased or a big-bang implementation methodology would suit the organization. Moreover, implementation planning is not about throwing darts in the dark. Teams must conduct thorough capacity planning, set critical implementation best practices, and understand configuration, integration, customization needs, and regulatory obligations.    

Ill-defined implementation scope, journeys, roles, and responsibilities will complicate mapping regulatory and compliance requirements and increase cost and complexities.  

6. IT & Tech Complexities: 

Organizations’ technological architecture can be too advanced with too many rules or just the opposite with antiquated manual processes and systems. In either case, a business will have to spend significant time understanding areas that need an upgrade with AI-led automation to replace manual efforts or much-advanced monitoring and access control to match its tech sophistication.    

For enterprises where most of the operations are cloud-based, GRC goals must consider the cloud vendor’s data and security compliance capability and the organization’s risk management and security controls for safeguarding data on the cloud.  

Aging technology platforms can barely keep pace with the growing demand for new technology architecture and software that require a streamlined and strategic approach. Specialized GRC tools or third-party risk management platforms allow seamless integration with existing technology, processes, policies, and rules for data governance and compliance. Additionally, local data protection rules and policies come into play when carving out and implementing a cloud-friendly GRC strategy.   

With AI and GenAI usage becoming more prominent, GRC strategies and solutions must accommodate use cases and track models associated or registered with a model use case to manage biases, discrimination, and fairness.  

ITech GRC & IBM Partnership: The Gumption to Transform GRC Implementation 

As an IBM RegTech partner to leading enterprises, we deliver expertise in OpenPages solution implementation and provide a strong foundation for building an effective GRC roadmap. By leveraging OpenPages with Watson’s AI capabilities, businesses can forego implementation hurdles with the insights of our experienced and certified GRC teams.  

Connect with us to learn how the iTech and IBM partnership can nurture your GRC journeys.