8JULY 2021IN MYOPINIONBy Eileen A Fahey, CFA Chief Risk Officer, Software implementations are operationally challenging and financially scrutinized. Definitions of success vary widely. Implementing GRC software spans across first, second and third lines of defense of operational controls. As such, the breadth of a GRC implementation makes it one of the more challenging and high profile within a firm.This article shares a few tips to reduce pain points to improve the likelihood of a successful implementation. It is by no means a step by step guide but highlights some aspects which result in common frustrations. Elements of consistency in the selection and implementation phases aid in decision-making. They include: · defined and dedicated internal resources sized to meet project skills and implementation deadlines· planning and documentation of implementation phases to include milestones, periodic stakeholder meetings, and defined measures of success. · communication and engagement with stakeholders and executives are key along with understanding that hard work and hiccups are expected!Selection Phase: Define Key Attributes All management lines have a vested interest in a successful GRC implementation. Exploring a variety of users will aid in identifying system expectations designed to reduce pain points. Optimal GRC systems provide risk functions such as compliance, operational risk and audit functions to use common risks, controls, testing libraries and consistent reporting across an organizational hierarchy. Selection committees may be too narrowly focused as success for the occasional user, is dependent on identifying the largest pain points, providing easy user interfaces and allowing creation of dashboards accurately depicting status using KRIs. Selection committees ideally include: · A few first line managers responding to findings, authorizing corrective action plans, noting completed tasks; · Product leaders to be selected from Internal auditors, compliance testers, information security and operational risk managers; and· IT staff to assess compatibility, security, capacity and reliability. · An executive sponsor provides support and perspective on KRIs dashboards and likely less opposition to the investment required. Form a smaller selection committee for investigation and development of relationships with several GRC vendors. The selection committee is assigned to:· Assess multiple product advantages and disadvantages· Propose system prioritizations and minimum requirements;· Present recommendations to the larger group;· Propose two to three systems for detailed exploration; · Recommend expectations for degrees of customization;· Document decisions and next steps. Establishing resource parameters in a broad working group help move decisions forward. An understanding of costs including the need or desire of an `off the shelf' product compared to customized solutions will be influenced by an organization's size, geographic breadth, regulatory structure and risk appetite and its desire to improve operational risks assessments of internal controls.Set Clear Expectations for VendorsOnce system specifications are identified and prioritized, vendor testing can begin. After the initial review of GRC systems, the working group should narrow the vendor pool to two or three vendors. These vendors should be willing to provide a `sand box' environment ­ an application shell. The sand box provides LEARNING FROM EXPERIENCE: IMPROVE THE CHANCES OF A SUCCESSFUL GRC IMPLEMENTATION
< Page 7 | Page 9 >