A Risk Manager shared some challenges with us which amongst other things included “Admin Frustration.” This is the frustration of having to nudge or chase people for that information you requested, or that risk assessment or mitigation they haven’t completed yet. Is risk being managed if due dates are being postponed? No, it’s just avoiding dealing with the issue.
As we drilled further into the conversation, the Risk Manager highlighted that the existing system was sluggish and difficult for people to use, hence why dates were being postponed. So, the Risk Manager very kindly extracts the information to a spreadsheet, cleans it, and then meets with the risk owners 1-to-1 to update their risk assessments, mitigations, etc. Of course, he/she/they then have to go back to and update the system. This is effectively a duplicate process, and frankly, you might as well stick to the Excel and emails. These issues are typical across many organisations.
As we unpacked this, we concluded, that ultimately the risk culture must change. I see a lot of this in organisations, where risk is the Risk Manager’s job, or Compliance is the Compliance manager’s job. Front line staff are usually the ones dealing with the issues, so actually it is their job to know, understand and manage the risk. A GRC system can change the risk culture by making it easy for everyone to get on board with managing their risk or compliance landscape. Instead of “Did you receive my email?”, the conversation you might have is, “Let’s talk about how to create value from that risk you identified.”
Back to what GRCs can do, a good GRC will present you with a beautiful space to work. White space so you are not overwhelmed with information, and it is clear what information you need to provide, or where you need to click. A good GRC will have good workflows built in so that it automatically pushes forward to the next step. Above all, it will have a good response speed, so that you can easily get on with your work, instead of waiting for the system to load or refresh. Its possible, reach out if you want to have a risky conversation!