New Years Resolution Number 6 for GRC Professionals: Embrace technology

Posted on February 8, 2010 by

 Surveys consistently show that GRC professionals are slow adopters of enterprise technology. Spreadsheets, in spite of their limitations and risks, abound in the worlds of auditing and SOX. Compliance professionals may be even slower in implementing enterprise technology. Risk management professionals have embraced quantitative techniques and related technologies. Even where technology has been adopted it is often misapplied. New Years Resolution number 4 suggested GRC professionals should focus on defining and measuring success against their end result objectives, not against the activities they perform to achieve them. The job of auditors is not to do audits. The job of SOX professionals is not to test controls. GRC professionals have a role in providing assurance and driving down failures.

Automating activities without regard for the end result leads to the situation described by Russell Ackoff, a recently deceased US management theorist: “The more efficient you are at doing the wrong thing, the wronger you become. It is much better to do the right thing wronger than the wrong thing righter! If you do the right thing wrong and correct it, you get better!”

Here are some tips to consider in embracing technology:

  • Don’t pave the cow path
    • If your practices are bad, automating them won’t make them better
    • Automating the wrong thing does not make it righter.
  • Use technology may streamline GRC activities  but consider eliminating some
    • Henry Ford’s customers said they wanted faster horses.
    • Could better use of technology eliminate the need some of today’s GRC activities?
  • Use technology to make workpapers a source of shared knowledge
    • Is your technology blocking or is it enabling the dissemination of knowledge?
    • Can you link all Issues to their underlying Risks? To their root causes?
    • Can you predict the impact on process performance of a change in controls?
  • Use technology to create searchable knowledge on all risk and control information
    • Can you find all your data security risks with a single query?
    • Can you find all your control “gaps” with a single query?
  • Use technology to allow fact based enterprise GRC reporting  on risk and control status rather than ”effectivceness opinions”
    • Can you tell your GRC stakeholders what’s new, different, better, worse, emerging or changing from a GRC perspective?
    • Can you do it in real time?
  • Use technology to shift accountability for risk and control management to the business
  • Use technology to provide assurance

This is the 6th in a series of New Years Resolutions for GRC professionals?

This entry was posted in Compliance, GRC, Internal Audit, Risk Management, Sarbanes-Oxley. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s