For a long time, the functions performed within the GRC team were all being done in a vacuum, largely disconnected from the business and from each other. For example, the team wrote policies that lacked meaningful guidance and were not fully communicated across the business. Risk assessments lacked meaningful analysis, which meant findings were largely ignored, and every audit was a mad scramble to gather and submit evidence.
The GRC team started making significant progress addressing these core issues and wanted to use Onspring to supercharge their efforts and maximize limited team resources. Leaving a combination of spreadsheets and their legacy platform, the team estimated it would take approximately two years to tackle building all-new GRC programs and implementing each within Onspring using their current people and resources available.
Management was not willing to wait two years to get value out of the purchase, and the CISO was definitely not willing to wait two years to see results. The team knew they needed to break their long-term GRC strategy down into smaller, more manageable pieces, which is where it started to get more complex.