The last year WEF Report on significant global threats lists cyberattacks and data fraud as high-impact threats in the near future.
New-generation GRC tools recognise that business process flows are dynamic and fluid, and hence enable us to build dynamic rule sets with adaptive capabilities.
GRC principles fit well with what is called the ‘agile’ approach and are more relevant and important today than ever before.
2020 will be remembered as the year of an almost worldwide lockdown caused by a virus. What could be next? The 2019 WEF Report on significant global threats lists cyberattacks and data fraud as high-impact threats in the near future. This underscores the fact that Governance, Risk and Compliance (GRC) is becoming increasingly critical within organisations, and the stakes are higher than ever should businesses fail to get it right. We’re living through an era hallmarked by a rapid increase in the rate of change in the marketplace. Organisations are being forced to adapt to the new realities. Successful organisations are becoming more agile in their ways of working.
New-generation GRC practitioners are seeing the opportunity for GRC to play a greater role in proactive value creation, more than ever before, and are embracing new agile technologies and methodologies in doing so. GRC principles fit well with what is called the ‘agile’ approach and are more relevant and important today than ever before. Getting GRC right in an agile environment depends on having the correct mindset, approach and tools. Agile thinking encompasses the idea of “clock speed”. This is the pace at which an organisation, as an entire system, is able to move, react, adapt and so forth. It is estimated that today’s average large organisation requires a clock speed 3-5 times faster than the equivalent organisation a decade ago.
Learn more: NEW CYBER THREAT INDEX SHOWS INDUSTRIES ARE UNDER ATTACK IN UNCERTAIN TIMES
“GRC principles fit well with what is called the ‘agile’ approach and are more relevant and important today than ever before. Getting GRC right in an agile environment depends on having the correct mindset, approach and tools”.
~ SAP organisations
Whilst agile thinking has brought great benefits in increasing clock speed, it has also brought with it a significant misconception about GRC. In the pursuit of agile delivery, GRC can easily be seen as part of the ‘old paradigm’ and hence ignored or undervalued. Alternatively, even if the GRC function is appreciated by business, GRC practitioners often fail to adapt their approach to the new clock speed realities. Many new-generation GRC practitioners find themselves operating in a traditional organisation. They face a decision to either be an advocate for change or simply go through the motions and deliver the kind of GRC the organisation requires.
" In our increasingly fast-paced world, there is a strong correlation between successful GRC and levels of business-user engagement in SAP organisations".
Could someone in GRC influence organisation-wide change? We believe they can. With a ‘courageously pragmatic’ approach one could advocate for company-wide change, possibly finding kindred spirits within the company, whilst at the same time pragmatically delivering GRC requirements within the prevailing framework. So, what is the correct approach then for agile GRC? Given that organisations differ vastly by industry, regulatory environment and GRC maturity, amongst others, there is no ‘one-size-fits-all’ answer. Here are a few agile GRC descriptors. Agile GRC realises the need for engaged business users, and hence puts business users at the centre of the process. GRC language is converted into a language that business users can understand.
This is further achieved through more intuitive tools such as introducing business process visualisations that help contextualise and understand risks. A lack of engaged business users has always been the Achilles heel of GRC. Research shows it is the leading cause of GRC implementation projects floundering. Engaged business users are more vital than ever given the fluidity of organisational environments today. GRC must become a team sport. If business users are unengaged, it falls to the GRC team to ensure that access risk remains healthy. This is usually done in an episodic fashion, frequently timed to coincide with an audit. In addition, traditional GRC tools are built upon static rule sets, which should be reviewed ‘from time to time’ to adapt to any changes in business process flows.
WHAT YOU NEED TO KNOW ABOUT THE CYBERSECURITY SOLARIUM COMMISSION REPORT