The Importance of Having Simplified Business Processes for GRC Operations

Even though it is common knowledge that the degree of intricacy within business processes, especially those that involve multiple steps or decision points and dependencies between different departments or systems, increases the likelihood of errors, the larger an organization is, the more complex their business processes tend to be.

Frequently, we see that GRC business process complexity is often the result of nobody wanting to be singly accountable for making certain decisions rather than the process itself being complex.? This scenario will typically manifest itself into a process that requires multiple approvals.?

I can recall one client organization required 8 or more individuals to sign off on policy exceptions. Regardless of the number of approvers, the result was always same; the company would have a documented exception to a policy.? Did they really need to have 8 approvers to identify an exception?? Exceptions occur when there is no feasible solution to timely correct an issue which violates a policy.? Having multiple approvers does not change this in any way other than to waste resource time and delay the process.

Perhaps a better way to handle this would be to identify the associated risk for each exception and apply an appropriate risk treatment in a timely manner.? Unfortunately, this often means that someone must write a new risk statement each time there is a new exception to a policy, and that doesn’t help to simplify business processes.

Building upon my previous article “The Importance of Establishing a Governance, Risk, and Compliance Framework”, when we have such a framework in place, the risk statements would already be in place for each control and all that the risk managers would need to do is agree upon the treatment.

I have seen several organizations apply armies of individuals to some of the GRC business processes like issues management which may account for 80% of the cost of our Governance, Risk and Compliance programs.

It is beneficial to evaluate and re-engineer our GRC business processes to remove non-value-added steps to ensure we are using our resources as efficiently as possible if we want to reduce errors and process failures.

Multiple approvals aside, there are other business process steps that can typically be eliminated when there are dedicated roles in place for teams responsible for various GRC processes.? I will discuss the benefits of having an organizational structure that has dedicated teams in place to support GRC processes in our next addition.

Similarly, there are several steps that can be eliminated by having a comprehensive single tool to enforce GRC workflows.? Likewise, we will explore this topic in a later addition.