Can GRC Keep up?

Digital transformation was already well underway and with COVID-19, it’s now accelerating. What was a slow jog has turned into a full sprint with companies quickly adapting processes to meet the needs of the digital economy.  Right now, 82% of CEOs believe digital transformation is strategically important to their organization (PWC, 2020) and are willing to invest to make it happen.  In fact, IDC predicts that worldwide digital transformation investment spending will approach $7.4 trillion between 2020 and 2023.

Yet, as companies quickly try to match aggressive competitors and agile upstarts, the vast majority are not investing in upgrading their risk and compliance systems commensurate with their digital transformation. And this is “risky” business…

Many companies are unsurprisingly continuing to rely on spreadsheets or traditional GRC solutions to store risk and compliance data.  You wouldn’t try to do bookkeeping in a journal anymore, so why would you try to manage risk and compliance on a spreadsheet in the digital era?  Companies cannot keep thinking of GRC as a storage system to capture all the risk and compliance data without any context. Nor can they continue to think of risk and compliance as a project that can be completed, it’s a continuous journey that requires constant monitoring and optimization.

GRC, like everything else in the digital era, must adapt. In its traditional form, it is not keeping pace with the market, providing only an outline or a snippet of the big picture, but not the rich detail or comprehensive context needed to make strategic decisions. The mindset that we already have risk and compliance covered because something already exists leads companies to continue on with outdated legacy systems or DIY tools that are not ready to address the complexities of today’s complex environment. As a result, executives are working with inadequate information when making critical business decisions.

GRC has been a hot topic of debate among analyst and research firms for the last several years as digital transformation has been slowly advancing. But there is one thing they all agree on, not doing risk management correctly has serious consequences and its bigger than traditional GRC.

GRC vs IRM

Ineffective risk and compliance management can have dire consequences - from reputation to profits, it’s all at risk if it’s not properly protected. And while not glamourous or fun, and often times a chore, like most chores it is vital. GRC when well done can empower businesses and executives to make better decisions, optimize investments and work collaboratively to build agile, resilient and successful businesses.

So, what are the common challenges of traditional GRC systems you need to be thinking about?

  • GRC-oriented risk programs focus heavily on compliance but compliance to any standard does not remove risk and not all controls can be implemented at once. By knowing which risks are most likely to occur and have the biggest impact, organizations can prioritize their efforts accordingly.
  • GRC assumes that there is no correlation or overlap between governance, risk and compliance. There are many overlaps and by having all the information correlated and available in a centralized location. In doing so, organizations can become more efficient and increase the accuracy of their data.
  • Cyber and digital risk management is seen as an “IT issue” rather than a business problem. Often, GRC reporting is too technical and not aligned with business objectives. New technologies have made it possible to quantify these cyber risks in terms which the business can comprehend.
  • GRC is heavily documented and infrequently reviewed. Risks are always changing as we have seen with the recent pandemic. No one could have predicted the Covid-19, let alone the impact on businesses and economies. As such, risk and compliance status should be regularly reviewed to ensure that the business is prepared for what may be around the corner.


Wihle much of the above may be blindingly obvious to an IT professional, the Board and corporate executives are still struggling to connect the dots. In fact, only 27% of organization felt ‘very comfortable’ that the Board is getting adequate reporting on cyber and privacy risk management metrics’ (PWC, Digital Trust survey 2018). It is time to start speaking financially, in context and with relevant facts.

Join us on August 5th, 4pm BST/11am EST to continue the discussion with Simon Marvell, Acuity Founder and CEO and Andy Boden, Senior Technical Consultant. They will be comparing traditional vs emerging GRC solutions and explaining how you can build your risk management program to increase transparency, drive decision-making and improve communication with the Board.

Onsite or web training needed?

Please contact us to discuss your requirements.