3 Ways to Expand the Scope of Your GRC Strategy

When a team is tasked with overseeing governance, risk and compliance (GRC), the team can only do so much. Limiting factors, like finite human resources, manual processes, entering information into multiple different systems and the sheer breadth of responsibilities, can waylay the best of intentions. However, some companies have found a way to break through these common barriers with GRC automation software, which ultimately boosts their overall governance, risk and compliance strategies.

Here are three ways that GRC teams like yours started small and then expanded to vendor, contract and policy management as well as regulatory change, controls and compliance, audit and assurance and other areas

1. Establish Your Vision and Understand Where You’re Heading

“Where do we see the organization five years down the road? Let’s not get hung up on what we can or cannot do in the next two months, but where we’re headed.”

In the days before everyone carried GPS-enabled devices with them, you needed three things for a successful road trip: your starting point, your destination and a map to take you from one to the other. The same is true in GRC management. It’s no good even getting on the road until you know where you’re starting from, where you’re heading and a general sense of how to navigate there.

Headquartered in Madison, Wisconsin, American Family Insurance is one of the nation’s most trusted providers of property, casualty, and auto insurance. John Aaholm, American Family’s GRC technology lead, decided to consolidate his department’s activities in one centralized platform with Onspring. Before implementing though, he evaluated exactly where the company was with its current processes and the endpoint goal that leadership wanted to reach. This enabled him to plot stops along the way as American Family expanded its Onspring implementation.

“Where do we see the organization five years down the road?” Aaholm asked in a presentation at Connect, Onspring’s annual user conference. “Let’s not get hung up on what we can or cannot do in the next two months, but where we’re headed. Take inventory to understand what programs you have in place where you could start focusing your time and attention. Then establish a common GRC taxonomy, create a roadmap for where you’re going, set up an internal community of practice, and architect the GRC platform based on these areas.”

Aaholm realized that for this project to succeed, he needed to get multi-department buy-in on what GRC automation was trying to achieve and why. Then his team could project the roadblocks they might face along the path and come up with contingencies for them.

“Understand what the vision for your organization is around GRC and then do whatever you can to help everyone get on board with that vision,” he said. “Deliver on the technology roadmap incrementally so that people keep seeing progress. Integrated GRC isn’t easy, but it is achievable if you figure out how to overcome the obstacles.”

promo banner for case study that exemplifies a GRC strategy

2. Know Your Processes and How They’re Interrelated

“Onspring is flexible and powerful, so you really should think of the long-term implications when you’re designing each process.”

With more than half a million customers across multiple lines of business, managing governance, risk and compliance is anything but simple for New Jersey Resources (NJR). The company must ensure that it stays up to date with controls, policies, compliance and more for natural gas and clean energy transportation, distribution and asset management. The company also needs to manage internal and third-party risk, protect sensitive data against breaches and cyberattacks, and successfully complete audits.

Due to the complexity of its operations, it would have been foolish for NJR to forge ahead with GRC automation in a piecemeal fashion. Instead, Director of Procurement and Contract Management Drew Pulitano sat down with domain experts and mapped out exactly how each manual process was being performed. Then they decided which steps to keep, those to eliminate, and any new ones that would add simplicity and speed. This due diligence enabled NJR to successfully launch Onspring in three departments simultaneously and then to extend the solution further.

“The areas we went live with at the same time were audit, assurance and SOX compliance,” Pulitano said. “Then a year later we went live with contract management, which is under vendor management. Onspring is flexible and powerful, so you really should think of the long-term implications when you’re designing each process.”

Before the ambitious initial rollout, Pulitano and his colleagues resisted the temptation to think of workflows as siloed, standalone entities. Instead, they considered connections between different roles, actions, and responsibilities, thinking of GRC like it was a spiderweb with threads leading from every part of the company back to the central Onspring hub.

“I told people, ‘Forget about the system for five minutes, and let’s talk about process,’ because GRC is very interrelated – from risks to controls to contracts to vendors,” he said. “You don’t want to design anything in a vacuum. Think about the big picture over the long term so you don’t paint yourself into a corner. Start with a workflow and document it, as even great software like Onspring can’t fix a bad process. You have to know what you’re getting into.”

3. Distinguish Between Important and Urgent Next Steps

“If you look around, there are always more fires to fight, no matter how big your organization or teams are. At some point, you have to take a step away from them and start working on the sprinkler system.”

No, this tip has nothing to do with Keanu Reeves dodging bullets in slow motion. Rather, it’s about a compliance managers who successfully scaled their GRC solution by using a proven decision-making tool to choose their next steps. Popularized in World War II by then future President Dwight D. Eisenhower, this framework seeks to separate what’s urgent from what’s important and finds the to-do items that check both boxes.

As one of the most prestigious healthcare providers in the Midwest, the University of Kansas Health System (UKHS) has many moving parts in clinical and administrative departments spread across multiple locations in two states. This can make it difficult if not impossible to come to conclusions that everyone agrees on so that a multi-stage GRC strategy can be finalized and implemented.

promo banner for case study about GRC strategy and third-party risk management

Like General Eisenhower, Michael Meis, Associate Chief Information Security Officer at UKHS, realized that endless discussions could go on forever, and at some point, decisive action was needed. So when trying to initiate a GRC automation plan that would extend Onspring to include third-party risk management (TPRM), contract management and other functions, he sought early input from colleagues in many roles. But then it was time to get rolling.

“Just start doing,” Mies advises. “If you look around, there are always more fires to fight, no matter how big your organization or teams are. At some point, you have to take a step away from them and start working on the sprinkler system. I’m a huge fan of the Eisenhower matrix—the ability to look at something and consider how important versus urgent it is. As a leader, you need to be able to look at each item and ask how much value that’s going to bring to your program over the next six, 12, 18 or 36 months. And then ensure you start working on some things continuously.”

An example of the Eisenhower Matrix, which can be useful to decide which tasks should be pursued in your GRC strategy.
An example of the Eisenhower Matrix, which can be useful to decide which tasks should be pursued in your GRC strategy.

To learn more about how Onspring can deliver enterprise-wide benefits, see it in action now.

Share This Story. Choose Your Platform.

Related Posts