We commonly bifurcate technologies into two groups: the old (or “legacy”) and the new (or “modern” and “next gen”). Operating an on-premises bare-metal hardware infrastructure in a colocation provider, for example, may be considered legacy by most measures compared to the more modern approach to using cloud service providers. Monolithic application architectures are more legacy; a microservices architecture is more modern. Rules-based static detection systems are legacy; well-trained AI models are their modern alternative.
You can take the same approach when thinking about how organizations approach their governance, risk and compliance (GRC) programs. To succeed at sustainably building a GRC program that scales and evolves to meet the ever-changing regulatory landscape and adopt both new and next versions of compliance programs, you too need to take a step back and evaluate where you’re at on this legacy vs. modern approach to GRC. When you understand or have personally experienced what a legacy GRC looks like with its drawbacks rooted in manual efforts, only then can you move beyond the tedium and efficiency losses that result from operating a legacy GRC approach.
To that end, let’s take a look at what legacy and modern GRC look like and how you can take the steps today to embrace the latter approach.
Legacy vs. Modern GRC
Legacy GRC, in a nutshell, is the spreadsheet, screen print, share folder, email-check-ins-with-controls-owners approach to compliance and risk management. If you store data about your controls operating effectiveness and your risk treatment plans in spreadsheets or ticketing systems, you have a legacy approach to GRC.
Operating a legacy GRC program continues to be problematic for several reasons. The significant investment in manual efforts to collect and assess control evidence is inefficient, generally only focuses on a random or judgmentally selected control operating effectiveness assessment approach, and continues to yield surprises during customer or external audits. This approach is too slow and doesn’t enable real-time risk analysis, detection, and remediation. This approach leaves you fundamentally unprepared because you show up to audits with only limited assurance of your current state of compliance or likelihood of a favorable audit outcome.
In contrast, a modern GRC strategy is one hallmarked by automation – automated evidence collection, automated control testing to identify risks and, in some cases, automated remediation of those risks. With these capabilities, you are able to know where you stand with controlled compliance every day between audits.
A modern approach isn’t just about saving time and resources. This approach also makes it fundamentally easier to identify and mitigate risks in real time. Instead of waiting for the next audit or control or risk owner check-in to find out where you’re falling short and what you need to do to fix it, you can leverage modern GRC to deliver those insights continuously.
This approach also isn’t saying that modern GRC is completely 100 percent automated. You’ll still need to invest some manual effort in processes like configuring evidence collection workflows, writing up control narratives (albeit with the help of a Large Language Model (LLM)), and defining which controls to test evidence against to detect risks. You’ll also need to update your processes as compliance needs change.
Still, while GRC processes and workflows may still be fundamentally similar to what we’ve done in the past, modern GRC places the juggling of spreadsheets and audit preparation guesswork in the past.
Upleveling to modern GRC
The tools that enable GRC modernization are readily available and easier to deploy and use than ever before. The question facing many companies is how to best adopt them into their existing programs.
From a technical perspective, the process is pretty straightforward. Most modern GRC automation solutions work by creating integrations with SaaS tooling using APIs to collect evidence from source systems programmatically. The platform will then perform automated tests on the data by comparing it to control expectations out of the box or configured by users. Generally, little special setup or integration is required on the part of organizations seeking to take advantage of GRC automation. Today, for those organizations who have more complex system architectures, in-house built systems, or are worried about having a direct integration into sensitive environments, custom connections are available – allowing GRC teams to prepare and send only the evidence and data needed into the GRC platform to perform tests and associated control test results to controls.
The bigger challenge lies in the realm of changing the business’s GRC mindset. Too often, companies remain wed to legacy GRC approaches because they think those approaches are working well enough and don’t see a reason to change. “We’ve been passing audits” may be a common anecdote to dismiss the progression to adopting modern GRC.
This may work in the short term, especially if your business is lucky enough to have auditors who aren’t all that stringent. But over time, as compliance rules become more rigorous or you need to produce new types of evidence, legacy GRC will place you further and further behind in your effort to stay ahead of compliance risks.
Some organizations are also slow to embrace GRC modernization due a sunk-cost fallacy. They’ve already invested in legacy GRC solutions or in-house built solutions; so, they’re reluctant to upgrade to modern GRC alternatives. Here again, though, this mindset places businesses at risk of falling behind and continued investment into systems, tools, and engineering or operations teams to keep these going, especially as compliance challenges grow in scale and complexity and legacy solutions can’t keep up.
The time and resources required to deploy modern GRC solutions may also be a barrier. The initial setup effort for configuring the automations that drive modern GRC is certainly non-negligible. However, in the long run, the investment of these resources pays enormous dividends because it substantially reduces the time and personnel that a business needs to devote to processes like evidence collection.
Changing your GRC mindset and approach
In my view, the best way that organizations can overcome hesitation toward GRC modernization is to rethink the relationship between GRC and the rest of the business.
Historically, companies treated GRC as an obligation to meet–and if legacy solutions were effective enough in meeting GRC requirements, organizations struggled to make a case for modernization.
A better way to think about GRC is a means of maximizing the value for your company by tying out those efforts to unlock revenue and increased customer trust, and not simply by reducing risks, passing audits, and staying compliant. GRC modernization can open the door to a host of other benefits, such as increased velocity of operations (because manual risk management no longer slows down decision-making) and an enhanced team member (both GRC team members and internal control / risk owners alike) experience (because team members can devote much less time to tedious processes like evidence collection).
For instance, for businesses that need to demonstrate compliance to customers as part of third-party or vendor risk management initiatives, the ability to collect evidence and share it with clients faster isn’t just a step toward risk mitigation. These efforts also help close more deals and speed up deal cycle time and velocity.
When you view GRC as an enabler of business value rather than a mere obligation, the value of GRC modernization comes into much clearer focus. This vision is what businesses should embrace as they seek to move away from legacy GRC strategies that don’t waste time and resources, but fundamentally reduce their ability to stay competitive.
The post Modernizing your approach to governance, risk and compliance appeared first on SD Times.
Source: Read MoreÂ