Blog | June 9, 2020

GRC Management: Why Custom Systems Don’t Cut It

Featured Image

Businesses typically seek out custom GRC management solutions to streamline and automate complex audit, risk, compliance, and policy operations. Custom solutions aim to increase functionality and efficiency by mirroring specific use-cases and processes, but they are often costly and require heavy support for implementation and ongoing maintenance.

GRC management technology should simplify and automate the execution of governance, risk, and compliance activities, rather than create further complications such as too much data, with too little context to sort through. In this blog, we outline key considerations that businesses should account for when implementing a custom GRC management solution.

1. Partner Dependencies: Businesses typically rely directly on their software vendor, partner, or consulting firm to support custom GRC management systems. In doing so, the end-user may lack direct physical access to maintain, update or calibrate system capabilities. While this model supports a valuable partner relationship, strategic insights and consulting can often fall to the wayside of ongoing system tools. Vendor or partner dependencies also create a knowledge barrier when balancing GRC management and system execution. Combined, this can negatively impact a business in the event of urgent system maintenance.

2. Upgrades & System Downtime: As with any technology solution, GRC management tools require ongoing updates to stay current with evolving business goals and changing market landscapes. Businesses leveraging a custom solution often run into issues when executing a system update. Minor change adjustments throughout the system can easily be overlooked with an upgrade install, breaking the function of the code, or overwriting it altogether . If this happens, the investment in customizing the GRC management solution often results in “technical debt”. Here we refer to technical debt as the amount of resources put into customizing the application as well as the resources required to track down, adjust, and update individual lines. At times this process can consume more resources than a new system install. This means businesses must recover from the technical debt incurred while trying to solve the issue and minimize system downtime.

3. Change Management: As an organization matures, its team members and strategy will inevitably change. First, assume your business’ GRC champion and system expert leaves for another job opportunity. For a new hire or replacement, customizations can create an additional layer of complexity when onboarding or acclimating to a new role outside of culture and technical ability. Corporate policies, standard operating procedures (SOPs) as well as management and colleagues can assist in familiarizing new team members with business processes and goals during onboarding. Team members will most likely have an established knowledge base and experience to meet the technical capabilities of their role and are already familiar with the system or tools that the business utilizes. That said, rarely is there a well-documented implementation guide and explanation for a fully customized GRC management solution. Aligning the system strategy, new team perspective, and technical execution is the added layer of complexity and a significant learning curve, which tends to result in system abandonment or re-implementation.

Secondly, keeping up with a business’ internal GRC strategy typically requires re-tooling. Even without receiving new system updates, this process is time consuming, costly, and forces organizations to get into the weeds of processes to make small organizational changes. This general maintenance to meet your business needs, without the addition of feature or functionality enhancements, can present the same challenges as upgrading your GRC management solution to a new version.

So what does this mean?

The project and scope of a custom GRC management implementation can rarely keep up with the need to recognize return on investment (ROI). Each of these factors (partner dependencies, system upgrades, system downtime, change management, etc.) require significant time and resources. Ultimately, there is a point of diminishing returns in maintaining a custom GRC management application in today’s rapidly evolving market. It’s important to consider how these factors may impact system time to value, value over time, and most importantly, the ability to execute and support GRC management strategy long term.

Looking to implement an agile GRC management solution?

OneTrust built our GRC platform to account for these key considerations. With OneTrust GRC, businesses get the advantage of an agile integrated risk management platform, that can be tailored within the user interface settings (UI) to adapt and meet a business’s distinct needs. Additionally, the platform can connect to their broader enterprise applications with simplified integrations for ongoing data exchanges. Request a demo today to learn more about our GRC management software and capabilities.