Feature
PRACTICE
Buyer beware BY JIMI HINCHLIFFE AND ARIANE CHAPELLE
Purchasing software to support governance, risk and compliance management initiatives can be fraught with difficulties. Following four well-defined stages can help steer a clear way to success
F
irms are increasingly investing in specific software applications to support governance, risk and compliance (GRC) management activities. However, selecting the right GRC system for any organisation and then implementing it successfully is a significant undertaking. There are four key phases, which we will examine in this article: preparation, selection, implementation and utilisation (see GRC system: phases, rules and pitfalls). Enterprise Risk
Preparation First of all, risk managers need to have realistic expectations. A GRC solution is not a solution to risk management issues; it is only a tool that operates the organisation’s framework more efficiently. It will not do risk management, only support it. Therefore, it is crucial to have a stable and explicit operational risk management (ORM) framework before looking for software support. Risk managers need to stabilise their existing framework first.
In fact, a common mistake is to implement a GRC system without first addressing known weaknesses or gaps in the risk framework. Carefully reviewing the risk framework can help risk managers to make an informed choice for the system. If the ORM framework is underdeveloped or immature, make sure it is set up in a way that is suitable and proportionate to the needs of the organisation. Do this before deciding on software to support the framework because the framework dictates the GRC system that supports it, not the other way around. If the ORM framework has legacies and intricacies that make it too complicated, simplify it. Do not transfer unnecessary complexity to the software. Some firms invest considerable time and money to exploit the immense ability of modern GRC systems to replicate 28