How to Manage GRC ChangeSmoothly and Successfully
P E R F O R M W I T H I N T E G R I T Y TM
Transforming siloed or manual GRC processes into more agile,
including better preparedness for risk events, and better risk insights for decision-making. However, actually enabling this transformation can be quite challenging. Taxonomies often have to be changed. Top-level approval has to be sought. Cultural changes have to be
Employees who are used to doing GRC a certain way for years (e.g., using a 1-5 risk-rating scale) can often be resistant to adopting a
change can be experienced in a real and tangible manner by the people making the change. For instance, if risk managers gain real-time risk intelligence with heat maps, or if policy managers gain a comprehensive view of regulations that impact a policy, or if they can leverage a chatbot to simplify the search for policies based on
However, when implementing a new enterprise GRC system, or enabling any other such large and pervasive shift, many of the
executives, rather than the people in the front line who are actually
system, or learning a new risk taxonomy. And since the front line doesn’t necessarily get to experience the value proposition of the
necessity.
How then can GRC transformation be enabled in a smooth and
The best place to begin a GRC transformation project is in a process or function that has a low barrier to change because the maturity level of the process is already relatively high, and the level of anticipated change is low. As an example, let’s assume that Organization XYZ wants to implement a new policy management solution that will make it easier
the policies they need. The organization
for policy creation, approval, and communication - it just needs a few enhancements with the new solution. Therefore, the barrier to change is low, and the solution can be implemented fairly quickly with a little user training and hands-on help.
On the other hand, let’s assume that the organization’s risk assessment process is fragmented, lacks consistency or integration,
systems. This is an immature process. Therefore, if the organization was looking to
implement a risk management solution, the barrier to change would be high -- because
standardized, risk reporting processes
organization were to straightaway
making these changes, they would simply end up with the same bad process or bad data in a new system. The bottom-line is that when embarking on a GRC change management project, the
each process and then prioritize the use cases accordingly. By starting with the use
people in the front line will have the time to get used to the change, after which the more complex use cases can be tackled.
Change Management Tactics
Select the Right Use Case
1
Choosing a Use Case for GRC Transformation:
Higher process maturity + lower expected level of change = lower
barrier to change
Start with the use case that has the lowest barrier to change
Determine the GRC processes that will be
changed
Self-assess the maturity of each process and the
anticipated level of change
Policy ManagementMaturity = high
Expected change = lowChange barrier = low
Control Testing Maturity = moderate
Expected change = moderateChange barrier = medium
Risk assessmentMaturity = low
Expected change = highChange barrier = high
2 Choose the Right Stakeholder Group
When planning a GRC transformation project, it’s important to identify the change accelerators in the organization i.e., the people who champion, drive, and catalyze change across the enterprise. Typically, these individuals are found lower down the hierarchy where more informal business networks have developed organically.
These networks are composed of people who are not necessarily high-ranked, but are well-connected, well-respected, and frequently sought out for advice by colleagues. They are
and convinced about the need for GRC transformation, they can act as positive change
agents for the rest of the enterprise, particularly the front line.
Any organization will always have its naysayers who are resistant to change. While it’s important to understand and address their concerns, it’s also
the early adopters who will provide useful feedback on the proposed GRC transformation. Through these stakeholders, one can gradually work through and get the buy-in of the “silent
the detractors at the front end will have to get on board with the change.
Pro Tip
Set up a “change management” committee with representation from relevant stakeholders. For instance, if a new GRC
team members are on hand to answer questions on the technological changeaspects. Front line representation is also important to ensure that employee concerns around change management are being heard and addressed.
Communicate the Value
A good way of getting people to buy into the message of GRC transformation is to communicate
than a corporate level. For instance, when implementing a new risk reporting tool, stakeholders can be told how the system will make their jobs easier, protect them, and make them
to understand what’s in it for them.
Mass communication is also important, especially when seeking the support of the front line. Company-wide newsletters, emails, exclusive GRC portals, and other such channels help disseminate the messaging around GRC transformation clearly. The more the message is reinforced, the better employees will understand why it’s important.
The concept of a helpdesk is also worth thinking
that employees can instantly message, phone, or
enterprise, and understand the challenges and problems that employees are facing. This data can then be used to enhance GRC training materials or programs.
3
Check the Quality of Data
When feeding information into a new GRC system, a good practice is to set up both
wants to register an issue or incident, front-end data checks might include training him or her on the type of data to enter into the system, while also establishing a helpdesk to answer any queries that he or she might have. Back-end data checks would focus on ensuring that the data entered into the system makes
Often, organizations rush to implement a new
quality of data that has been entered into the
where the quality of reported data makes all the
Well-organized, consistent, and high-quality data
in-person training, app e-learning)Make the value
proposition personal
Periodically survey employees to measure the success of adoption, and to identify challenges/ pitfalls
Get the CEO to communicate to employees the strategic importance of the change
Reinforce the messaging through targeted mass communications (e.g., company newsletter)
Help stakeholders visualize what the future will look like when the change has been
implementedfront line’s shoes to understand their challenges
Bring in industry experts to provide an independent perspective on the need for the change
Set up a helpdesk to respond to stakeholder queries or complaints
4
How tocommunicate the
of GRC change?
In a Nutshell and engagement are key. The work involved is no
doubt challenging. But in a dynamic marketplace,
that we get it right.
How MetricStream Can Support You
MetricStream’s Enterprise GRC Solution can help you manage your risks, compliance, audits, cybersecurity, and third-party governance activities in an integrated and automated manner.
The solution cuts across organizational silos, enabling a holistic and collaborative approach to
and compliance data from across the enterprise, and transform it into actionable business intelligence to support decision-making.
With support for mobility, real-time reporting, advanced risk analytics, and regulatory
Solution is comprehensively designed to meet the GRC needs of today’s complex, global enterprises.
*Source: Customer responses and GRC Journey Business Value Calculator
Business Outcomes*
management and board
90% Reduction in time taken to manage compliance activities
300% More coverage on compliance and control monitoring
Contact us
visit: www.metricstream.com© 2020 Copyright MetricStream
All rights reserved.