Latest Post

Digitizing Governance Risk and Compliance

by Bruce McCuaig, Director, GRC Product Marketing


Most of our treasured concepts of control, and many of our accepted risk practices, will land in the digital boardroom with a thud and disappear, if they make it there at all.

The truth is, much of the information provided by GRC professionals is not digital and can’t be digitized usefully.

The outputs of most control and compliance assessments are subjective opinions on control effectiveness. Much of the output of risk professionals are informed guesses about the future. Insight is often lacking.

Why does this matter? It matters because digital Darwinism will not be kind to GRC if it does not evolve.

Understanding Control Ineffectiveness

I find it useful to step outside the business world and have a look at our practices through a real life lens. Some years ago my ophthalmologist prescribed eye drops to reduce the interocular pressure (IOP) in my eyes. He assured me the medication was “effective”. (Medical practitioners don’t make a distinction between “design” and “operating” effectiveness).

So I researched the medication and discovered the manufacturer, one of the words most distinguished pharmaceutical firms was so convinced of its “effectiveness” that in some jurisdictions they offered a money back guarantee if it did not deliver promised results.

I think in the world of GRC we would rate the design effectiveness of the eye drops as high.

Curious, I did some further research. It turns out that studies conducted by the manufacturer to secure regulatory approval revealed the following Issues:

  • Approximately 20% of patients stopped taking the medication because of its side effects.
  • Approximately 10% of patients studied forgot 20% of their doses.
  • A very small percent suffered severe and sometimes life threatening complications.

This kind of information provides insight, supports a risk acceptance decision, and should be reported in a digitized business environment.

No Control is 100% Effective all of the Time.

Control effectiveness decisions require knowledge of both a specific objective and related issues. In reality, there is no universal standard for the effectiveness of a control or for that matter a medication. The question is not “is the control effective” The question is how much risk does it leave us with and how is performance impacted?

Let’s digitize and report the data and let the effectiveness decision be made by the stakeholders.

What Does the Digital Boardroom Need to Know About Risks and Controls?

Frankly, boards are starving for useful information about GRC. Control effectiveness opinions aren’t digital, but the underlying data supporting control effectiveness and risk acceptance decisions can be digitized. Boards in my experience don’t find risk heat maps useful. They want digital data about key risk indicators, incidents, and issues.

Boards want visualization capabilities and analytical tools, and the data to feed those tools.

The Tools are Here Today

Tools exist now, and have existed for years, to digitize GRC. We have access to incredible technology that can monitor and report on almost any aspect of GRC. But, those tools are rarely used. The business case for using them, based on cost savings and extended coverage, has always been overwhelmingly compelling. Still they aren’t widely used.

The Case for Automating GRC

Here’s the real business case for automation in GRC. Automation produces digital information. Opinions must be supported by insightful data. Without the data GRC will have nothing useful to say to the digital board. Absent from the digital board room, GRC will not have a voice in performance, strategy, or resource allocation. GRC will not be managed strategically.

The real business case for digitizing GRC is survival. Fortunately, there is tremendous value to add by doing so. GRC won’t survive without digitizing.

Sorry, but Digital Darwinism is unkind.

Is GRC on your board’s agenda? What do you tell your board about GRC?

– See more at: