This is an insight into the interesting podcast episode with Christian Buechler, GRC Expert at GBTEC Austria (formerly avedos). He reports on the challenges of introducing a GRC software and reveals critical success factors that ensure implementation success.
Many companies invest a great deal of time and work to manually document and test their risks and controls. Provided that the processes are simple and lean, that is still a possibility. The complexity of larger companies, however, is too great for Excel and Access to handle. This factor is often the catalyst for companies to implement GRC software. Another driving factor is discrepancies in executive risk reporting. In other words, the various risk functions throughout the company communicate different versions of the truth on one and the same topic. Yet the whole point of reporting these risks is to provide the managing directors with information relevant for decision-making!
Implementing GRC software poses many challenges:
- Different organizational constellations are one of the greatest problems within companies – and the aspects of governance, risk and compliance are no exception. Oftentimes, risk management, the internal control system and compliance are managed by different people in separate, independently coordinated functions.
- Companies need to break free from historical processes that run in separate silos. Overcoming resistance – often voiced through arguments such as “We’ve always done it that way!” or “It’s always worked like that” – is rarely easy to say the least.
- It is essential to keep sight of the big picture at all times. This is also a strong argument for an integrated solution that covers risk management, compliance management, the internal control system and other GRC functions.
- Companies, regardless of their size, must be able to provide the necessary resources. Following the initial GRC software deployment, the support of a professional implementation partner as well as the availability and knowledge of the internal staff are both critical factors for success. The objective is to create a solution for the company’s unique approach to GRC. This requires specialists with internal knowledge of the company and sufficient availability. Aside from the software implementation, these employees will also need to complete their day-to-day activities, which often have higher priority.
Companies need to address these challenges adequately to ensure a successful GRC software implementation. The actual users and later recipients of the reports should be involved at an early stage. Knowing their requirements is an absolute must in order to improve day-to-day business activities through more efficient ways of documenting and communicating information. The fastest possible flow of information to the report recipients is imperative. Another critical driver is to integrate individuals in the early stages of the implementation project and not simply present a finalized “solution”. The active participation and knowledge from in-house experts both play key roles. Existing processes, of course, will undergo scrutiny throughout these projects. The clear objective, of course, is to optimize them.
Training is another important factor of success. Employees, that work with the tool, must receive adequate training in advance since GRC software is not used daily. If only used once or twice a month, the software must be intuitive and easy to understand. Making changes to the IT infrastructure can be a long process – especially within larger corporations. Getting the group IT department involved from the start, therefore, is essential. This also ensures that an adequate infrastructure is available – long after the successful implementation.
The first episode of GBTEC GRC Podcasts was broadcasted in February 2019. This series focuses on all aspects of integrated GRC, enterprise risk management, internal control systems and information security management. Today, 9 episodes are now available and can be streamed on leading platforms such as Soundcloud, Spotify and Apple Podcast.