What support do GRC tools offer?

For some years now, the "3-lines-of-defense" model has also been explicitly propagated from a regulatory perspective as an approach for embedding risk and control functions in a holistic governance system. Various tools are available on the market to support operational implementation. However, do these tools provide companies with effective added value? Which approach works and how, and what points need to be considered when implementing a GRC tool?

GRC approach

GRC describes the cross-functional approach consisting of governance, risk and compliance. A possible, but not general, definition is: "Governance, Risk & Compliance refers to the continuous overall consideration of all functions of an organization in order to effectively and efficiently manage legal, financial and reputational risks".

An example of a diagram showing the relationships between the individual disciplines is the "House of Governance". Here, the GRC approach includes the internal control system and internal audit in addition to the areas that give it its title.

The concept is intended to exploit synergies between the divisions and conserve resources. Integration can take place both horizontally and vertically. In the case of horizontal integration, the areas of governance, risk and compliance should increasingly use synergies among each other. Vertical integration, on the other hand, is intended to integrate the GRC approach into existing business processes. What support can a tool offer here?

A GRC software solution can be used to support this, for example, to record reports and carry out analyses and risk assessments in a (partially) automated manner. In doing so, it can increase efficiency and support management in better understanding the relationship between risk and compliance management. It can also help to reduce existing complexity by creating transparency and identifying and eliminating deficiencies in existing processes.

Distribution and requirements at Swiss companies

A survey of 60 Swiss companies has shown that GRC tools are now widespread, especially in companies with more than 250 employees. Thus, 51.7 percent of the survey participants already have a solution in place and 20 percent are planning to introduce one. It should be noted that due to the Corona pandemic, only 60 companies took part in the survey and the figures are therefore only of limited significance.

The use of the tools shows a trend towards local, German-speaking providers, although international providers have a higher level of awareness.

The practical requirements for a GRC tool are primarily the basic disciplines of GRC: risk identification and assessment, the internal control system (ICS) and compliance management. Other must-have criteria include the ability to create comprehensible and consolidated reports and the tool's high level of user-friendliness. In addition, the vendor must be able to provide efficient support and, if desired, implement customization options. Other supplementary functions such as simulations, contract or audit management were weighted rather low in the survey.

Analysis of current GRC tools

The analysis of nine selected tools showed that all the solutions analysed fulfilled the aforementioned mandatory criteria. For example, each solution can be used to map the internal control system and to identify risks. In addition, it is possible to assign user-defined authorizations. However, there are major differences in the supplementary functions. The smaller tools often concentrate on the core functions, while larger solutions offer additional in-depth functions, which can be very different and comprehensive. Examples include Monte Carlo simulations, contract management, or the storage of standards such as ISO 9001. Automated workflows and links between the individual functions are also offered to very different extents. However, the scope has an influence on the complexity of the solutions.

In addition, the possibilities of user-defined adjustments differ greatly. Larger additions and adjustments usually require in-depth knowledge or IT support. Support from the providers is described as good both in this context and in general, and was an important selection criterion for most users. Regional and German-language support was important to most companies.

The standard reports are frequently criticised, as they are described as inadequate for the preparation of reports for the board of directors or the executive board. All of the interviewees stated that they either made manual adjustments to the reports or created their own templates.

Tips for the introduction

The introduction of a GRC tool, like any project, must be planned in detail and is best done step by step. The desired functions and those that will be needed in the future must be clearly defined in advance. Thus, it should be determined whether additional functions are necessary or whether they can be dispensed with in favor of simplicity. A decisive question is also whether the corresponding IT resources are available internally or whether it is necessary to call on the support of the provider. This in turn has an influence on the costs. Larger tools also require more resources in the company due to their complexity.

It is important to make all affected parties involved in the selection and implementation process in order to meet all needs and ensure support from the line. It has also been shown that it is difficult to introduce a solution across departments if these are not combined organisationally. As a result, the GRC approach must first be implemented in the organization before the tool is introduced. Many companies nevertheless use a GRC solution, which is subsequently only used by one department (usually risk management). When evaluating, software solutions in other departments should be considered first. For example, many solutions can also be used in process or enterprise modeling management and are particularly suitable for linking within the company. In this way, resources can be saved and synergies can be used.

The tool should be easy for employees to maintain. A GRC tool is often used by many risk and control owners, all of whom must be instructed accordingly. The individual forms for recording should not be overloaded. Therefore, it must be defined in advance which information is to be stored in the tool and which can be dispensed with. This also ensures that the reporting is simple and compact and thus guarantees transparency and efficiency up to the controlling level.