Article

How GRC technology can improve audit, compliance and risk management

September 20, 2021

Regulations, technology and global operations are all growing increasingly complex. This is making internal audit, compliance and enterprise risk management even more difficult to manage with traditional governance, risk management and compliance (GRC) tools. Additional pressure is coming from the increased number of employees working remotely and rising expectations for technology-driven efficiencies, which are rendering old tools obsolete.

GRC technology solutions (also referred to as eGRC) can streamline processes and collaboration across three lines of defense: operational management, risk management and compliance, and internal audit.

Modern GRC technology automates administrative tasks, which reduces errors, improves efficiency and drives consistency and control in mature cloud environments. RSM has observed that using eGRC solutions can result in an average reduction of 30% to 35% in process control owner effort across testing and issue management. In addition, organizations can save two to four hours per control owner in SOX and audit administration time per week.

30% - 35%: Average reduction in process control owner effort in testing and issue management after implementing GRC technology.

Let’s take a closer look at five ways you can take advantage of GRC technology capabilities.

1. Build workflows to automate day-to-day tasks

Doing so results in higher efficiency, fewer human errors and improved visibility. For example, let’s say your internal audit team builds a workflow to automate the collection of data from various stakeholders that shows they’ve complied with controls. The system stores the collected data in a centralized location where all relevant stakeholders can access it. This eliminates the need for an auditor to manually maintain file folders on different stakeholders, manage incoming document flow and create reports. Other ways to optimize automation are with recurring testing and standardizing and sharing control content with external parties like auditors.

2. Eliminate redundancy among risk management and compliance activities

This leads to greater efficiency and better resource utilization, allowing risk professionals to spend more time on higher-priority needs. When your organization has consolidated controls into one centralized catalog, the result is streamlined compliance assessments with fewer controls and testing processes.

For example, GRC solutions typically offer a unified control framework that allows pre-requisite mapping of each control and requirement to such regulations and frameworks such as Sarbanes-Oxley, HIPAA, HITRUST, NIST, ISO 27001, CCPA, GDPR and others. Performing the compliance mapping of these controls within an eGRC tool allows a single compliance test for all applicable regulations, instead of having to conduct one test for each.

3. Standardize processes

Because the solution has just one repository for all risk-related data, your organization can easily access this data for risk analytics as well as to ensure consistent and standardized risk documentation and process management. Dashboards and reports can display real-time analytics and trending data. Many eGRC tools can integrate with client source systems to enrich intelligence and inform decision-making.

With GRC technology, all risk-related work takes place on a single platform with centralized documentation for controls. This eliminates the complexity and misalignments caused by multiple people storing and managing separate versions of documents.

Very often, these groups will utilize different risk taxonomies, such as the tiers used to classify risk. For instance, some functions may use a three-tier classification system (low, medium, high), while another may adopt five risk tiers. A centralized eGRC platform can help standardize these variants and enforce consistency across your organization. When cyberrisk and operational risk management are speaking the same language by using the same risk taxonomy, leaders can more easily compare enterprise risks.

4. Enhance reporting to help drive organizational strategy and agility

Prior to the advent of eGRC tools, an organization’s compliance and risk information could be fragmented across functional silos, multiple spreadsheets or even in numerous email messages, effectively preventing a clear overview. Top-tier eGRC solutions provide 360-degree visibility into audit risk and compliance efforts. They’re augmented by business intelligence tools to facilitate reporting to key stakeholders, including the audit committee and other C-suite staff.

Furthermore, the system can structure user access, roles and data to deliver exactly the level and type of information that each stakeholder needs. This cohesive view allows users to make sense of data previously locked in silos or buried in multiple different forms. Dashboards can provide a high-level overview of the organization’s risk posture across your entire compliance portfolio. Such a view can lead to opportunities for prioritized remediation and increased trackability before external auditors arrive.

5. Track exceptions and remediation to improve accountability

In addition to offering a top-down view, GRC technology can provide clarity between assessments to keep your organization on its toes. Imagine, for example, that your organization has a new risk due to an audit issue. Without proper visibility, it would be difficult to track how it’s being addressed. A modern eGRC solution can provide a drill-down view that identifies the risk, how it maps to the particular issue, what the issue entails and the steps being taken to remediate it, including deadlines around remediation follow up.

Taking the next step with GRC technology

eGRC solutions bring powerful capabilities to risk management, including automation and the ability to centralize and standardize risk-related processes and data. These technologies are becoming essential to organizations that are challenged with the complexity of operations, compliance requirements, systems and technology.

With our extensive experience in governance, risk management and compliance, RSM can help your organization choose and deploy the best eGRC platform for its needs.

RSM contributors

  • Nathaniel Ruey
    Partner