How to Manage GRC ChangeSmoothly and Successfully

P E R F O R M W I T H I N T E G R I T Y TM

Transforming siloed or manual GRC processes into more agile,

including better preparedness for risk events, and better risk insights for decision-making. However, actually enabling this transformation can be quite challenging. Taxonomies often have to be changed. Top-level approval has to be sought. Cultural changes have to be

Employees who are used to doing GRC a certain way for years (e.g., using a 1-5 risk-rating scale) can often be resistant to adopting a

change can be experienced in a real and tangible manner by the people making the change. For instance, if risk managers gain real-time risk intelligence with heat maps, or if policy managers gain a comprehensive view of regulations that impact a policy, or if they can leverage a chatbot to simplify the search for policies based on

However, when implementing a new enterprise GRC system, or enabling any other such large and pervasive shift, many of the

executives, rather than the people in the front line who are actually

system, or learning a new risk taxonomy. And since the front line doesn’t necessarily get to experience the value proposition of the

necessity.

How then can GRC transformation be enabled in a smooth and

The best place to begin a GRC transformation project is in a process or function that has a low barrier to change because the maturity level of the process is already relatively high, and the level of anticipated change is low. As an example, let’s assume that Organization XYZ wants to implement a new policy management solution that will make it easier

the policies they need. The organization

for policy creation, approval, and communication - it just needs a few enhancements with the new solution. Therefore, the barrier to change is low, and the solution can be implemented fairly quickly with a little user training and hands-on help.

On the other hand, let’s assume that the organization’s risk assessment process is fragmented, lacks consistency or integration,

systems. This is an immature process. Therefore, if the organization was looking to

implement a risk management solution, the barrier to change would be high -- because

standardized, risk reporting processes

organization were to straightaway

making these changes, they would simply end up with the same bad process or bad data in a new system. The bottom-line is that when embarking on a GRC change management project, the

each process and then prioritize the use cases accordingly. By starting with the use

people in the front line will have the time to get used to the change, after which the more complex use cases can be tackled.

Change Management Tactics

Select the Right Use Case

1

Choosing a Use Case for GRC Transformation:

Higher process maturity + lower expected level of change = lower

barrier to change

Start with the use case that has the lowest barrier to change

Determine the GRC processes that will be

changed

Self-assess the maturity of each process and the

anticipated level of change

Policy ManagementMaturity = high

Expected change = lowChange barrier = low

Control Testing Maturity = moderate

Expected change = moderateChange barrier = medium

Risk assessmentMaturity = low

Expected change = highChange barrier = high

2 Choose the Right Stakeholder Group

When planning a GRC transformation project, it’s important to identify the change accelerators in the organization i.e., the people who champion, drive, and catalyze change across the enterprise. Typically, these individuals are found lower down the hierarchy where more informal business networks have developed organically.

These networks are composed of people who are not necessarily high-ranked, but are well-connected, well-respected, and frequently sought out for advice by colleagues. They are

and convinced about the need for GRC transformation, they can act as positive change

agents for the rest of the enterprise, particularly the front line.

Any organization will always have its naysayers who are resistant to change. While it’s important to understand and address their concerns, it’s also

the early adopters who will provide useful feedback on the proposed GRC transformation. Through these stakeholders, one can gradually work through and get the buy-in of the “silent

the detractors at the front end will have to get on board with the change.

Pro Tip

Set up a “change management” committee with representation from relevant stakeholders. For instance, if a new GRC

team members are on hand to answer questions on the technological changeaspects. Front line representation is also important to ensure that employee concerns around change management are being heard and addressed.

Communicate the Value

A good way of getting people to buy into the message of GRC transformation is to communicate

than a corporate level. For instance, when implementing a new risk reporting tool, stakeholders can be told how the system will make their jobs easier, protect them, and make them

to understand what’s in it for them.

Mass communication is also important, especially when seeking the support of the front line. Company-wide newsletters, emails, exclusive GRC portals, and other such channels help disseminate the messaging around GRC transformation clearly. The more the message is reinforced, the better employees will understand why it’s important.

The concept of a helpdesk is also worth thinking

that employees can instantly message, phone, or

enterprise, and understand the challenges and problems that employees are facing. This data can then be used to enhance GRC training materials or programs.

3

Check the Quality of Data

When feeding information into a new GRC system, a good practice is to set up both

wants to register an issue or incident, front-end data checks might include training him or her on the type of data to enter into the system, while also establishing a helpdesk to answer any queries that he or she might have. Back-end data checks would focus on ensuring that the data entered into the system makes

Often, organizations rush to implement a new

quality of data that has been entered into the

where the quality of reported data makes all the

Well-organized, consistent, and high-quality data

in-person training, app e-learning)Make the value

proposition personal

Periodically survey employees to measure the success of adoption, and to identify challenges/ pitfalls

Get the CEO to communicate to employees the strategic importance of the change

Reinforce the messaging through targeted mass communications (e.g., company newsletter)

Help stakeholders visualize what the future will look like when the change has been

implementedfront line’s shoes to understand their challenges

Bring in industry experts to provide an independent perspective on the need for the change

Set up a helpdesk to respond to stakeholder queries or complaints

4

How tocommunicate the

of GRC change?

In a Nutshell and engagement are key. The work involved is no

doubt challenging. But in a dynamic marketplace,

that we get it right.

How MetricStream Can Support You

MetricStream’s Enterprise GRC Solution can help you manage your risks, compliance, audits, cybersecurity, and third-party governance activities in an integrated and automated manner.

The solution cuts across organizational silos, enabling a holistic and collaborative approach to

and compliance data from across the enterprise, and transform it into actionable business intelligence to support decision-making.

With support for mobility, real-time reporting, advanced risk analytics, and regulatory

Solution is comprehensively designed to meet the GRC needs of today’s complex, global enterprises.

*Source: Customer responses and GRC Journey Business Value Calculator

Business Outcomes*

management and board

90% Reduction in time taken to manage compliance activities

300% More coverage on compliance and control monitoring

Contact us

visit: www.metricstream.com© 2020 Copyright MetricStream

All rights reserved.