Can GRC be automated?
Governance, risk and compliance (GRC) is usually a grudge purchase. It’s the aspect of work which everyone wishes to avoid or if they can’t, try to short circuit. And while automating GRC can ease the process slightly, it’s a fine balance. Too much automation could result in unnecessary complexity and too little automation could result in frustration.
So says Ritasha Kalidas, director of IT security, risk and governance at Tiger Brands, who will be speaking at ITWeb Governance, Risk & Compliance 2020, to be held on 25 and 26 February, at The Forum in Bryanston. Her talk is about eliminating manual efforts by leveraging the capabilities of GRC automation.
According to Kalidas, one needs to automate just enough and this is generally informed by the maturity of the organisation.
“While many tools are called GRC, the RC components are generally the ones which can be easily automated. Governance aspects, generally, are not 'automatable' as it requires a firm system comprised of ethics, corporate governance and a mindset of individual values to be in place.”
Kalidas says it comes down to answering several questions, including whether the organisation understands its key risks, as well as which governance structures and policies apply. Also, does the organisation understand the state of its control posture across key business processes and functions, and have GRC activities been executed transparently, openly and in a manner that can be proved?
While many tools are called GRC, the RC components are generally the ones which can be easily automated.Ritasha Kalidas, Tiger Brands
In addition, she says businesses need to ask themselves whether they are compliant with laws, regulations and the industry standards which apply to them, and once they understand this, how they are practiced and applied.
Then, she says when remediation actions are identified or control failures are highlighted, what processes are followed to monitor and report against these, and how quickly does the business remediate actions against key risks and related control failures?
“The above answers actually speak to the longevity of the organisation and its sustainability in terms of whether it accepts GRC as an ongoing form of business practice or whether it addresses GRC as a tick-box exercise,” Kalidas adds.
“It speaks to the heart and intent of the organisation's very brand, image, vision and mission and determines the reputation that the organisation in question holds within its given society.”