Compliance vs. Risk Focused Software – Can One System Serve two Masters?

To save time, money, or both, many of us have the tendency to re-purpose tools and processes for something they weren’t originally intended for.

Depending on the circumstances, this approach sometimes works …

Take, for example, a client who uses a system called Jira designed for facilitating IT help requests. With a few tweaks, this client was able to re-purpose this system for work requests for other (non-IT) departments in the company. Of course, there is nothing wrong with being creative with tools like this – provided it gets the job done in an effective and ethical way.

But often times, this sort of “re-purposing” can be like trying to make a square peg fit into a round hole, therefore leading to wasted time and resources.

One area where this is especially prevalent is with ERM software, which as I explain in this buyer’s guide, can be one of the most difficult challenges of establishing a mature risk management process.

Many systems you’ll encounter, including many big names, label themselves as “GRC” software, which is short-hand for Governance, Risk, and Compliance. These companies often claim their systems are able to handle all of these needs well, but as David Vose explains:

GRC tools are sold as ticking all the boxes of G, R, and C – they do everything, much like the Amphicar 770 ticked the boxes for both a boat and a car – as long as you didn’t have a practical need for either.”

To further illustrate, one of my son’s favorite books, If I Built a Car, is about a boy who dreams about building a car with a hot food bar, a robot driver, a sofa, and even a pool! This car even goes under water and up in the air!

Now we understand the moral of the story is to encourage kids to dream big, and while lounging in a pool during a road trip sounds incredibly awesome, could you seriously imagine such a vehicle in real life?

Software systems labeled as “GRC” fall into a similar trap…

These systems may advertise that they’re able to handle governance, risk, and compliance functions well, but each function is distinct in its own right.

Let’s start with compliance, which involves doing what regulators and laws expect. Many companies I work with, namely insurance carriers, are subject to a litany of what we call LRRs (laws, rules, and regulations). Keeping track of whether they have been met requires a software tool. There are also internal corporate policies that can fall under the compliance umbrella as well.

While there is risk involved with compliance, this is a “check-the-box” type task, especially when management makes the decision to follow all applicable laws, rules, and regulations. GRC software systems designed for this purpose do a good job of helping companies stay out of trouble.

On the other hand, risk is not about issues that are already known, but about the potential of something happening, whether good or bad. Uncertainty management, as Hans Læssøe  likes to call it.

Although many will use a GRC software system for this purpose, there are limitations, especially when it comes to understanding how risks impact strategic objectives. Since these systems rely on lists, executives will not find them valuable for decision-making. Trying to use a GRC system for this purpose will simply perpetuate the reputation of ERM being a “check-the-box” ritual as opposed to an integral part of ensuring the organization’s success.

Again, risk is about the potential of something happening in regards to a particular objective.

Therefore, to make informed decisions, executives need to understand scenarios under which risks could occur and how they will impact a particular objective, be it for the better or for worse.

After all, the whole point of ERM is to provide valuable insights to leadership so they can make better informed decisions, or as Danny Wong of GOAT Software states:

As a risk professional, our primary stakeholder is the CEO and the rest of the C-suite, we need to develop insights and solutions that help them run the business – managing risk just comes with the territory.”

Software systems built for risk and strategy are much better at helping risk professionals accomplish this overarching goal of ERM.

A good software system built for this purpose will include functionalities beyond the “list(s)” that are common among GRC systems. Features at a minimum should include:

  • Identifying the strategic objectives and/or business objectives
  • Describing and cataloging scenarios that could occur related to each objective.
  • Linking risks and opportunities to relevant objectives
  • Graphing of a range of possibilities and consequences (i.e., impact and likelihood). Hans Læssøe’s books Decide to Succeed provides an excellent primer on this topic.
  • Ongoing monitoring of key indicators to understand how a risk is trending and whether that is acceptable.
  • Assigning a risk owner and actions or responses if needed.

Below is a graphic that shows how this should work within a risk-focused ERM software system.

To put it plainly, systems focused on compliance will not be able to go into this level of detail, which inevitably leads to the question…

Do we want a software that’s great at compliance and fair at risk? OR one software that’s great at compliance and a separate software that’s great at risk?

To preface, I’m not saying to NOT use a GRC software system for risk, nor am I recommending one particular system over another since each situation and need is unique. It’s certainly understandable to only want one tool, but if you choose to go this route, you need to have the right expectations in that you will be sacrificing certain functionality and features that could be helpful in building a strategic advantage for your company.

At this time, I am not aware of systems that are able to serve both the compliance and risk masters simultaneously. Feel free to send me an email if you know of a specific tool that you think can satisfy all these requirements.

As I discuss in my ERM software buyer’s guide, choosing the right system is one of the most difficult parts of building a performance-focused risk management process and one that should be approached with extreme caution. I strongly urge you to check out the buyer’s guide for more information on how best to approach this challenge.

Like people, ERM and GRC software systems cannot serve two masters simultaneously, which is something to strongly consider if your company intends to move risk management into its strategic decision-making.

Do you currently use one GRC software for both compliance and risk or do you have separate tools?

Share your thoughts by leaving a comment below or join the conversation on LinkedIn.

If you prefer, you can send any comments privately to me at comments@strategicdecisionsolutions.com.

This is a unique challenge that doesn’t receive the attention it deserves. Countless companies have spent literally tens of thousands just to end up right back where they started or even worse off. To avoid this fate and ensure you have the right tools to meeting today’s incredible challenges, click here to schedule a meeting to discuss your specific circumstances and potential solutions today.

, , , , , , , , , , , ,

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu