Reporting and data Featured

Implementing a GRC system: key steps and traps to avoid

5 min read

Oct 2, 2024

An increasing number of companies are transitioning from using spreadsheets for risk management to more sophisticated systems. In theory, this should enable them to pool data from around the business more efficiently and deliver meaningful risk insight.

The execution, however, is rarely that simple. Given the scale of this challenge, risk leaders in our network have been collaborating on key steps – and traps to watch out for – when selecting and implementing a new governance, risk and compliance (GRC) system. Here are some insights shared during those collaborations:

Collaborate with peers on risk management software

Whether you need help speeding up the process of creating a business case, narrowing down your shortlist of vendors, or avoiding early pitfalls with implementation, we can facilitate collaboration to assist you.

Request to collaborate

Determine your business critical criteria

Before you even begin to look at software options on the market, it’s important to identify what your “business-critical criteria” are. There are two major reasons for this: one obvious, and the other less so.

(i) To help you narrow down the many options that are available.

(ii) To avoid choosing a platform with too much functionality that can make it too complicated for most users. Therefore, scale ambitions for your tool to the actual needs of the business.

How are risk leaders deciding on the criteria?

A number of our members recommend setting up a small focus group with would-be users from the business. Working with them, you can:

Decide what the business actually needs, in terms of key capabilities; and
Inform and socialise the thinking of the risk team on what kind of system the business should choose.

Business Requirements template for Risk-related systems

To help a member speed up the process of creating a business case for a new GRC system, we created a new template.

By collecting business requirements from practising risk leaders at listed companies, we produced this filterable template with over 300 business requirements.

Read this blog to find out more about this peer-contributed and peer-validated resource, as well as to discover other ways we’re supporting our members with their GRC systems.

Narrow down your shortlist

Once you have identified your key criteria, it can help to compare the different options available to you with a simple graphic. For an example, see the table below. While your criteria may differ, this template can be used to map out key requirements and score systems against them.

Graphic for risk system selection article (3)

At Risk Leadership Network, we facilitate a number of collaborative virtual meetings and 1-to-1 calls on the implementation and optimisation of specific GRC systems. This enables our members to get candid feedback on the systems they’re considering from peers who have already implemented them.

Choosing a new risk software system - through collaboration

How are risk leaders collaborating to speed up the process of choosing a new risk software system?

View the full article here

Engage users to fully embed the system

It’s not enough to simply select a system. In order to implement it effectively, you also need to engage the business to ensure uptake. Here’s a five-step summary on how to achieve this, as suggested by risk leaders in our network.

1. Introduce with the "why"

Make sure to highlight the value of your chosen solution and point to the specific problems it is intended to solve. You can use the criteria set out in the selection phase to emphasise the key benefits.

2. Educate with the "how"

Once users are sold on the value, they still need to have the confidence to leverage the system themselves.

It may be more effective to run smaller training sessions with key users (i.e. team leaders), so they can ask questions and give feedback, as opposed to larger workshops where people might not be as engaged or willing to speak up.

Where does this insight come from?

Members who have been on a journey to implement a new GRC system, or replace an existing one, have been collaborating on how they selected a system from the market.

They highlighted any major obstacles or “traps” they encountered throughout the process, giving peers a useful baseline from which to choose the right system for them.

We'll continue to facilitate bespoke collaboration for our members when they are considering a new GRC system - request to get involved here

3. Data migration

It’s important to align and (if necessary) uplift the business’ existing data so it can be integrated into the new tool seamlessly.

This will reduce the number of bugs that emerge during the implementation phase and build the business’ confidence in the tool itself.

4. Ensure consistent use

If the organisation is used to another system, it can be difficult to change old habits. And, while the stick approach may be necessary in individual circumstances, it’s unlikely to be the optimal solution for shifting the behaviour of the wider organisation.

Instead, work with early adopters who do see the value to influence other would-be users in their team and drive compliance indirectly. Engaging stakeholders to get feedback and address concerns can also help persuade them to migrate to the new tool.

5. Build in-house expertise

The only way a tool continues to serve the business is if it keeps pace with the business’ needs. In that sense, in-house administrators of the system have to be more than just “super-users” – they must also be experts at back-end configuration.

Traps to be mindful of

Risk leaders who have been through the process of selecting and implementing a GRC system have shared some mistakes organisations can make along the way.

Here’s a few examples of what to look out for:

Do be aware of the integration upsell, as it could make it harder to switch system if a certain provider becomes too embedded in your processes.

Do make sure to get a full demonstration of any system you plan to implement before you buy.

Do be aware that during implementation, some providers will outsource responsibilities to third parties, who may not be very familiar with how your business works.

Don’t underestimate the importance of your configuration choices, as you may spend more time undoing bad decisions.

Don’t forget the importance of human intelligence, as some level of manual analysis will still have to be applied to risk data.

Don’t neglect the importance of relationship management during the implementation phase, as having good relationships with stakeholders can help you overcome pockets of user change resistance.

What's next?

Ultimately, nothing fully replaces risk management proficiency – even a tool. Make sure, then, to build this across the business first, rather than expecting a GRC system to solve all of your problems.

For those with an existing system, there is also an element of “better the devil you know, than the devil you don’t”. If you already have a system in place and are considering switching, assess whether the pain it may cause will outweigh the benefits.

We will continue to facilitate collaborations between our members on the topic of risk software and systems, especially as the market for these solutions grows. Request to get involved here.

← TCFD reporting: four steps to success

Meet our Member: Pete Johnson from Roche →

Resources