Practical consideration in GRC implementation (2)

By Dr. Emmanuel Moore ABOLO

Implementation of new initiatives in GRC may be an arduous task for many organisations. With multiple views and aspects of GRC, it can be difficult to know where to begin.

From my experience working on several GRC projects, these are the key process steps to a successful GRC implementation:

• Define Stakeholders and Ensure Buy-in: Everyone within the organization should be involved with GRC implementation since all or some aspects affect each person’s business functions. Hence, the need for effective collaboration and communication across functional areas and across cadre;

• Choose Project Team and Set Terms:  Choose the project team from across the functional areas, who you could refer to as champions. Then create a control team which are few, very resourceful people. These should be executive masters, innovators and should possess leadership skills. Endeavour to mix the age of the control team;

• Review Existing GRC Framework: Every organization practices GRC somehow. It might be crude or even refined. Whichever level it is, it is important to review it and identify the gaps that technology can fill;

• Select a GRC Solution: In order to ensure effective functioning of a GRC initiative, it is important that you pick the right implementation partner such as Riskmap Consulting and an ideal GRC solution for your organization. There are scores of GRC tools and hundreds of vendors in the market. Cloud-based GRC solutions are most popular nowadays;

• Determine Success Criteria: Crafting success criteria that map to actual GRC functions and to the owners is a critical grounding step in the process. With a refined understanding of the existing landscape, scope and associated business case for the program, carefully crafted success criteria mapped to specific departments and functions will allow project stakeholders to see their own specific expected benefits;

• GRC Project Planning: Articulate and document a well-defined GRC implementation plan. Your selected implementation vendor such as Riskmap Consulting visits your premises and spends time understanding your existing business processes and policies. The vendor’s team also conducts a risk assessment of your business in collaboration with your champions and identifies areas that need to be protected or improved. Armed with the information, an integrated GRC plan that best suits your organization is developed, including a detailed demo of the selected GRC product, assigning roles and responsibilities  and defining project timelines;

• Implement GRC Practices: Once a detailed plan is developed, the next and the most crucial step is implementing GRC practices at your organization. Today, most GRC programs are Cloud-driven and automated. Implementation involves policy and document management, operational risk management, IT risk management and corporate compliance management. It also includes spreading awareness about the new GRC policies and training people within the organization to practice them.

• The final stage is that of Oversight and Continual Improvement:  Implementing a GRC program is not a one-time activity. It is a continuous business practice and must be followed every day across all departments. It is, therefore, important to closely monitor and ensure that GRC practices are well followed and being matured within the organization. Also, since the business world is highly dynamic, you must modernize your GRC platform and revise your policies regularly to match business, industry and regulatory requirements.

Different firms across the globe are at varying levels of maturity and approaches differ for GRC activities. Financial firms looking to centralize risk and controls across the enterprise need to examine next-generation solutions that demonstrate a cohesive “one platform” capability based on modern architectural components.

Alternatively, for financial firms that have made investments in separate GRC tools/applications, it may make sense to implement a top-down governance dashboard layer that can integrate data from (disparate) GRC tools and applications.

With the latter, underlying GRC data definitions and taxonomies are likely to differ, and firms will need to ensure an appropriate level of uniformity such that information can be interpreted consistently and quality of data is high.

When it comes to implementing a GRC strategy or starting to use related tools and processes, there are many potential pitfalls, so here are some additional implementation tips on what to expect and some lessons learned from businesses we have helped through the alleyway:

• Do your research, know and understand what you are buying;

• Take an iterative approach, revise and revisit aspects over and over again;

• Work collaboratively with all stakeholders;

• Communicate to avoid misunderstanding;

• Prepare and provide the right people and funding; and

• Get the Board on Board.

It is important to take to heart this time-honoured commentary by Refinitiv, a global provider of financial markets data and infrastructure: ‘’ As the remit for GRC ecosystems is expected to broaden, a component-based middleware and integration layer to cohesively integrate data and connect to upstream and downstream systems will be paramount. GRC solutions have the opportunity to be the “operations control and monitoring” hub in a federated model if the architectural foundations are right. Firms must insist that their vendors and internal solutions adopt a strategy to expand off-the-shelf component adapters and where possible, employ open / micro-service-based interfacing to external systems’’.

Implementing GRC in practice requires the full support of the Board. Therefore, our next focus in this series is on how to get the board on board in GRC implementation.