4 GRC Mistakes That Can Derail Your Risk Management Plan

By 
Piyoush Sharma
April 19, 2022
  • Non-compliance with data-related regulations can cost organizations dearly
  • Between Jan 2020 and Jan 2021, GDPR fines totaled up to US$191.5 bn
  • Companies such as Google, British Airways and H&M were on the receiving end of penalties
  • Organizations generally have GRC regulations and measures in place, meaning that poor
  • Implementation may be worse than an absence of frameworks

1. Creating a long-term GRC schedule with rigid rules

  • Businesses may tend to have a fixed "best practices" rule-list for GRC
  • Long-term schedules reduce the need for investment, thereby saving costs
  • Rigidity often leads to susceptibility during crisis situations
  • Businesses must opt for evolving, explainable rule sets for data governance and management
  • Short term, flexible GRC schedules on a project-to-project basis reduces business vulnerability to compliance-related problems

2. Having poorly-defined Service Level Agreements (SLA)

  • An inadequate SLA affects the quality of GRC solutions
  • Communication gaps between your organization and GRC solution vendors
  • Your business will be unable to ascertain whether the service received is satisfactory or not
  • Businesses must have a clearly defined SLA to evaluate vendor performance
  • Service expectations, penalties and termination clauses must be clarified before signing service

3. Lacking an integrated, holistic GRC framework

  • On-the-surface GRC norms demonstrate a lack of attention to detail
  • Businesses may have different rules for different departments, not adequately integrated with all business operations
  • This may lead to inconsistencies when it comes to data management and handling in different business units
  • GRC regulations need to be made with the business as a whole in mind
  • Comprehensive GRC frameworks need time to develop. Businesses must update norms from time to time to improve the flexibility of frameworks

4. Missing automation tech for GRC implementation

  • Old, manual mechanisms only add lag in business operations, especially for medium and large corporates
  • Risk management is affected due to lack of GRC automation
  • Lack of automation may lead to Segregation of Duties (SoD) conflicts
  • Competent data handling involves the evaluation of thousands of data files for errors
  • Automation through AI and machine learning reduce data handling errors
Piyoush Sharma
Head of Enterprise Security & Technology Operations, Zuora