GRC Tech and How it Assists in Risk Oversight

December 09, 2021

In this podcast, Nina Kelleher and Jason Vik, directors in EisnerAmper Digital, to discuss what GRC tech is, some of the technologies that it includes, and how GRC tech can contribute to your organization’s overall growth strategy. 


Transcript

Nina Kelleher: Hello, and welcome to EisnerAmper's podcast on governance, risk and compliance technology, otherwise known as GRC Tech. I'm your host Nina Callaher. And today I'll be speaking with Jason Beck. Jason is a director in EisnerAmper Digital with experience in integrated risk management, data governance, and reporting. Hi, Jason, thanks for joining me today,
Jason, can you share some thoughts on the concept of GRC tech? Sure.
Jason Vik: GRC has been an acronym of debate in recent years and is often exchanged for IRM or the concept of integrated risk management. In general there's a mandate to reduce or eliminate risk to an organization on all levels. Traditionally done in silos, risk management is migrating to an integrated model driven in large part by an organization's enterprise risk strategy. Integrating the various risk functions within an organization increases the efficiencies that the organizations are able to assess and manage risk.

NK: So, what are some of the types of technologies in the GRC space?
JV: GRC technologies are designed as either point solutions, meaning they're highly specialized in a single risk area. For example, third party risk management, or enterprise solutions, meaning they're able to bring a large portion of an organization's risk management activities into a single application. Which one is right for an organization greatly depends upon that organization.
NK:How do these technologies contribute to the growth and maturity of an organization's overall risk strategy?
JV:While these technologies facilitate the next step in the maturity life cycle of a firm's risk strategy, we discussed earlier, how risk has traditionally been managed in silos. These tools promote integration, forcing stakeholders to come to the table and discuss how to integrate and measure risk consistently across the enterprise. Using technology to do this creates a common framework or data model, if you will. Reporting an analytics at a level, not yet seen, it provides a foundation for the leap to an enterprise risk management strategy. Promoting this integration and leveraging the data and analytics now available an organization can begin to decipher the top three, four or five strategic risks to the enterprise and put plans in place to reduce or eliminate that risk.
NK:Can you talk to me more about the process an organization would go through to adopt these technologies?
JV:For sure. Once the decision is made to implement a GRC technology, my firm recommendation is to seek out the assistance with third party for guidance on that journey. It's generally a good idea to start with the current state assessment of each of the risk areas. This information will help an organization identify which areas may be ready for implementation and others which may need additional time to prepare, ultimately allowing the business to develop a long term roadmap for their future state.

Following the readiness assessment, it's time to choose the technology through a vendor selection process. An experienced third party will be able to use the information gathered during readiness assessments to recommend several vendors that may align with their needs and to demo their solutions. Vendors will be scored on a set of criteria important to the business, allowing them to ultimately make an objective decision on which platform to use. At this point, it's all about the details. Meeting with stakeholders that gather detailed requirements, working with the vendor to develop a detailed solution and finally configuration execution of that solution.
NK:Jason, would you be able to share with us some of the challenges that companies might face when implementing GRC technology?
JV: Sure, Nina. I think some of the challenges companies face are really in the implementation side. And this is why, again, I encourage people to seek out a third party to assist. You really don't know what you don't know. When it comes to implementing technology it's all about being prepared and doing your due diligence, you know, really reviewing the different process areas and understanding who's ready to be implemented into a technology, who might need more work. So there's a lot of cost savings by actually engaging in a third party rather than being mid-implementation and realizing there's some process work that needs to happen. So I think, single biggest recommendation, lesson learned would be really engage someone that's been through this process internally or externally as a third party. And in the long run I think unanimously the organizations that have gone through this process would agree that it'll save you time, money, and probably a lot of Ibuprofen from the headache.
NK:Jason, thank you for this valuable information and thank you for listening to this podcast. And others brought to you by the EisnerAmper Digital team. For more information on this, on a host of other topics, visit EisnerAmper.com back slash EA digital and join us for our next podcast.

Transcribed by Rev.com

About Nina Kelleher

Nina Kelleher is a Partner leads the risk advisory services within EisnerAmper Digital with expertise, including planning, executing and leading audits, conducting risk assessments and completing financial statement due diligence.


More in This Series