Compliance vs. Risk Focused Software – Can One System Serve two Masters?

To save time, money, or both, many of us have the tendency to re-purpose tools and processes for something they weren’t originally intended for.

Depending on the circumstances, this approach sometimes works …

Take, for example, a client who uses a system called Jira designed for facilitating IT help requests. With a few tweaks, this client was able to re-purpose this system for work requests for other (non-IT) departments in the company. Of course, there is nothing wrong with being creative with tools like this – provided it gets the job done in an effective and ethical way.

But often times, this sort of “re-purposing” can be like trying to make a square peg fit into a round hole, therefore leading to wasted time and resources.

One area where this is especially prevalent is with ERM software, which as I explain in this buyer’s guide, can be one of the most difficult challenges of establishing a mature risk management process.

Many systems you’ll encounter, including many big names, label themselves as “GRC” software, which is short-hand for Governance, Risk, and Compliance. These companies often claim their systems are able to handle all of these needs well, but as David Vose explains:

GRC tools are sold as ticking all the boxes of G, R, and C – they do everything, much like the Amphicar 770 ticked the boxes for both a boat and a car – as long as you didn’t have a practical need for either.”

To further illustrate, one of my son’s favorite books, If I Built a Car, is about a boy who dreams about building a car with a hot food bar, a robot driver, a sofa, and even a pool! This car even goes under water and up in the air!

Now we understand the moral of the story is to encourage kids to dream big, and while lounging in a pool during a road trip sounds incredibly awesome, could you seriously imagine such a vehicle in real life?

Software systems labeled as “GRC” fall into a similar trap…

These systems may advertise that they’re able to handle governance, risk, and compliance functions well, but each function is distinct in its own right.

Let’s start with compliance, which involves doing what regulators and laws expect. Many companies I work with, namely insurance carriers, are subject to a litany of what we call LRRs (laws, rules, and regulations). Keeping track of whether they have been met requires a software tool. There are also internal corporate policies that can fall under the compliance umbrella as well.

While there is risk involved with compliance, this is a “check-the-box” type task, especially when management makes the decision to follow all applicable laws, rules, and regulations. GRC software systems designed for this purpose do a good job of helping companies stay out of trouble.

On the other hand, risk is not about issues that are already known, but about the potential of something happening, whether good or bad. Uncertainty management, as Hans Læssøe  likes to call it.

Although many will use a GRC software system for this purpose, there are limitations, especially when it comes to understanding how risks impact strategic objectives. Since these systems rely on lists, executives will not find them valuable for decision-making. Trying to use a GRC system for this purpose will simply perpetuate the reputation of ERM being a “check-the-box” ritual as opposed to an integral part of ensuring the organization’s success.

Again, risk is about the potential of something happening in regards to a particular objective.

Therefore, to make informed decisions, executives need to understand scenarios under which risks could occur and how they will impact a particular objective, be it for the better or for worse.

After all, the whole point of ERM is to provide valuable insights to leadership so they can make better informed decisions, or as Danny Wong of GOAT Software states:

As a risk professional, our primary stakeholder is the CEO and the rest of the C-suite, we need to develop insights and solutions that help them run the business – managing risk just comes with the territory.”

Software systems built for risk and strategy are much better at helping risk professionals accomplish this overarching goal of ERM.

A good software system built for this purpose will include functionalities beyond the “list(s)” that are common among GRC systems. Features at a minimum should include:

  • Identifying the strategic objectives and/or business objectives
  • Describing and cataloging scenarios that could occur related to each objective.
  • Linking risks and opportunities to relevant objectives
  • Graphing of a range of possibilities and consequences (i.e., impact and likelihood). Hans Læssøe’s books Decide to Succeed provides an excellent primer on this topic.
  • Ongoing monitoring of key indicators to understand how a risk is trending and whether that is acceptable.
  • Assigning a risk owner and actions or responses if needed.

Below is a graphic that shows how this should work within a risk-focused ERM software system.

To put it plainly, systems focused on compliance will not be able to go into this level of detail, which inevitably leads to the question…

Do we want a software that’s great at compliance and fair at risk? OR one software that’s great at compliance and a separate software that’s great at risk?

To preface, I’m not saying to NOT use a GRC software system for risk, nor am I recommending one particular system over another since each situation and need is unique. It’s certainly understandable to only want one tool, but if you choose to go this route, you need to have the right expectations in that you will be sacrificing certain functionality and features that could be helpful in building a strategic advantage for your company.

At this time, I am not aware of systems that are able to serve both the compliance and risk masters simultaneously. Feel free to send me an email if you know of a specific tool that you think can satisfy all these requirements.

As I discuss in my ERM software buyer’s guide, choosing the right system is one of the most difficult parts of building a performance-focused risk management process and one that should be approached with extreme caution. I strongly urge you to check out the buyer’s guide for more information on how best to approach this challenge.

Like people, ERM and GRC software systems cannot serve two masters simultaneously, which is something to strongly consider if your company intends to move risk management into its strategic decision-making.

Do you currently use one GRC software for both compliance and risk or do you have separate tools?

Share your thoughts by leaving a comment below or join the conversation on LinkedIn.

If you prefer, you can send any comments privately to me at comments@strategicdecisionsolutions.com.

This is a unique challenge that doesn’t receive the attention it deserves. Countless companies have spent literally tens of thousands just to end up right back where they started or even worse off. To avoid this fate and ensure you have the right tools to meeting today’s incredible challenges, click here to schedule a meeting to discuss your specific circumstances and potential solutions today.

Sign Up For Our Newsletter

Sign Up For Our Newsletter

SDS-Logo
about-sidebar-v2

Meet Carol

Helping companies achieve their vision and strategy, and succeeding in today's turbulent world, is something I'm honored to be a part of. Whether you're an occasional blog visitor or a long-term client, thank you for letting us be a part of your journey.

Most Recent Posts

The 12 Days of ERM Christmas

Without a doubt, one of my family’s favorite holidays is Christmas. Part of the fun, especially for our son, is seeing what “Santa” brought, but most importantly, we treasure the spirit of peace and goodwill the season brings. And after what seemed to be a never-ending warm spell, the weather is expected to be good…

Read More

Don’t Let Goals and Initiatives Be Blindsided by External Events

As the end of the year draws near, I think we’d all agree that while it wasn’t without its challenges, this year also wasn’t quite as turbulent as the previous two. While a lot of people are juggling company parties, shopping for friends and family, and special activities for the kids, most companies are putting…

Read More

Going the Distance: Ensuring Successful Execution of Strategic and Annual Initiatives

Strategic planning is a challenge – of all people, I understand… After all the meetings, risk and data analysis, and brainstorming of the preceding months, it’s tempting to think this is the end of the road and you can relax. Contrary to this common perception though, this is exactly not the time to relax, but…

Read More

Avoid Rookie Mistakes and Protect your Internal Reputation

Be honest – have you ever done something that you soon realized was a real rookie mistake? Me raising my hand… Considering the nature of ERM’s role to ask questions and challenge assumptions (often during conversations with executives), it can be argued that, in at least some cases, the expectations bar for risk professionals is…

Read More

ERM at Thanksgiving – An Illustration of Risk Management in Action

On occasion, I like to take some of the concepts we risk professionals think about in our jobs and apply them to different personal situations…take some of the same concepts we use when working with executives to develop corporate strategy and manage risks or uncertainty around that strategy. It’s Thanksgiving week in the U.S. –…

Read More

Why Quantitative Risk Assessment is Not Just the Best But the Only Option – A Conversation

Periodically, I have the pleasure of speaking one-on-one with Hans Læssøe on a variety of topics around ERM, strategic risk, and other issues and trends. As you know from my previous conversations (here, here) and posts featuring his work, Hans was formerly a practitioner at the iconic LEGO Company, but even more notably, is a…

Read More

The Three Lines Model – 3 Reasons Why I Don’t Like It

Everyone likes a clear-cut template that offers an easy way to create or manage something…I mean what’s not to like about a step-by-step process for accomplishing what you want? Sometimes this can work without any issues, such as the case with the Project Management Book of Knowledge (PMBOK), ISO 9001 standard, or a new cooking…

Read More

5 Avenues for Expanding your ERM Knowledge

One thing I was taught to appreciate from a young age was the value of education and knowledge. It didn’t necessarily matter what the subject was, just that I always maintain a learning or growth mindset regardless of my current status in life. This mindset has served me well over the years, and it’s a…

Read More

Storytelling and Risk Management – Developing Skills that Technology Cannot Replace

It’s amazing how technology has developed and changed our working world over time. Imagine trying to run my risk and strategy consulting firm without tools like Zoom, Box, Slack, and other ERM-specific technology tools. There is no way we would be able to serve our clients the way that we do. Just consider how the…

Read More

3 Phases to Creating and Launching an ERM Program Focused on Organizational Success

If you’ve been handed the task of creating an ERM program for your organization, let me first offer my congratulations quickly followed by my empathy for the task ahead of you. I don’t say that to scare you but to provide a small dose of reality. Building, launching, and refining an ERM program that is…

Read More