Navigating Risk & Resilience: Balancing Complexity & Cost in GRC Solutions

When it comes to operational resilience and continuity, as well as broader GRC, many options for solutions are available in the market. Selecting the right solution is critical, as many choices lead organizations down the road of complexity and cost—not just in implementation, but also in ongoing maintenance, management, and user experience. Organizations need operational resilience and continuity solutions that are highly resilient, efficient (in both human and financial capital), effective, integrous, accountable, and agile to the needs of dynamic and distributed businesses.

Organizations today are inherently complex. Gone are the days when organizations were defined by brick-and-mortar operations in relatively limited and localized terms. Today, organizations comprise a vast, interconnected web of interactions, transactions, and relationships that can extend far beyond the traditional bounds of business. Here are some key attributes organizations should be looking for in their solutions:

• Efficiency. At the end of the day, is the organization saving time and money? Implementing and utilizing the right solution and technology will reduce time and financial inefficiencies within the organization’s value chain.
• Effectiveness. Is the organization managing all aspects of GRC? A solution that meets organizational needs increases awareness and management of those aspects, leading to fewer things slipping through the cracks by being off the radar entirely. The natural byproduct is the organization getting more done from top to bottom.
• Resiliency. How well does the organization deal with adversity? A resilient solution helps with recovery from risk events and other adverse effects. Resiliency also includes finding and containing issues.
• Agility. Is the organization keeping up with the changing times? The world today, and by extension the landscape in which organizations operate, is more dynamic and shifting than ever. The right solution will help the organization keep pace with changing business environments, risks, and regulations, making the business more agile as it moves forward.
• Integrity. Does the organization live up to its word? A solution that is the right fit will help the business stick to its values, ethics, and policies. It will also improve how risk is taken and managed throughout the organization.
• Accountability. When it comes to GRC internally, does the organization own it? A solution that promotes organizational accountability will identify the GRC responsibilities the company has and will help it be responsible for those aspects. Ultimately, the organization needs to step up to the plate when it comes to handling GRC matters, or it faces the risk of being penalized for poor management.

It used to be that the dividing line between maintenance costs and agile solutions with lower implementation costs was whether the solutions were cloud-based (e.g., SaaS) or on-premises. This is no longer the case, as some cloud-based solutions have significantly higher costs than others, with approaches and architectures varying widely. This becomes even more apparent when organizations consider solutions that were originally built and designed for purposes entirely unrelated to operational resilience and continuity, only to have these respective modules added on later. Expansive IT Service Management (ITSM) platforms trying to offer everything to all organizations have further exacerbated the cost and complexity issues, as opposed to the resiliency, efficiency, effectiveness, integrity, accountability, and agility of ‘best-of-breed’ solutions for operational resilience and continuity.

Consider this comment from one large global company concerning their frustration in working with the wrong solution provider: “[It] is an ITSM platform that they've tried to adapt for GRC. Way too tedious to work with and maintain and not intuitive at all. Its relational database foundation makes it slow and clunky. And the complex relationships of the gazillion tables make every new version potentially painful for any custom-developed modules — or even [their] own GRC modules — because it's pretty easy to break stuff. And [their] licensing model is byzantine and expensive.”

Clearly, organizations face a gauntlet of questions when searching for a solution. There are hundreds of solutions on the market today, and while maybe a few dozen of those may actually be applicable to the organization, that still leaves quite a lot of options. The organization may also realize during this process that their needs are not, in fact, what they believed them to be and may have to pivot in the middle of the selection process if they did not properly diagnose their needs initially. Here are some key things to consider when evaluating operational resilience and continuity solutions available in the market:

• Complexity. What is the complexity of the system’s overall data and application architecture? Is the overall data architecture unnecessarily complex, burdensome, and, in that context, cumbersome and slow? Essentially, is the overall solution bloated because of everything it does at the cost of efficiency, effectiveness, and agility?
• Implementation. What does it cost to implement the solution—not just in software acquisition but in consulting and other resources? How much time will it take to implement the solution across the organization? Who within the organization will have to be trained on the solution, how long will that training take, what technology updates will be necessary, and will any outside consultation be required?
• Ongoing management. What does it cost to administer, configure, and maintain the solution year after year? Does it require high-cost consultants, or is it easily configured by the organization itself?
• Agility & adaptability. How easy is it to configure and adapt the solution to changing business requirements and needs? Does it require high-cost consultants to adapt the solution and make modifications?
• User experience. How easy is it to navigate and use the solution, not just by back-office subject matter experts but by the line of business? Is the interface highly engaging and intuitive for all levels of users?

Remember, it has been stated that:

"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius—and a lot of courage—to move in the opposite direction."

The goal is to provide a user experience that gets the job done for operational resilience and continuity. Like Apple with its innovative technologies, organizations must approach resilience and continuity in a way that re-architects how they operate and interact. Often, businesses make themselves work harder than necessary. The old adage “work smarter, not harder” is very true here. A complex solution inherently brings its own hurdles and can easily overcomplicate things within the organization, potentially worsening a bad situation and costing the business valuable resources.

The goal is simple: simplicity itself—and simplicity is too often equated with minimalism. Shedding excess weight is certainly a good thing. Yet, true simplicity is more than just the absence of clutter or the removal of embellishment. It is about offering the right information, in the right place, when the individual needs it. It is about bringing interaction and engagement to resilience and continuity processes and data.

The key is to streamline the entire process. When the process is simplified in this way, it allows resilience and continuity to extend across the organization in an easy and timely manner. This is easily achieved through a user-friendly solution, which not only makes implementation more efficient but also mitigates errors and speeds up processes in the long run.

It’s easy to feel overwhelmed by the sheer number of factors to consider. The number of solutions available on the market alone can be daunting, making it challenging to sift through and find the ones that are applicable. However, when the right solution is found, it will promote resilience and continuity while saving the organization time and money, as well as sparing many within the organization from constant headaches. When interactions within the GRC process are slow and clunky, they are not only frustrating but can lead to a multitude of problems for the organization. These interactions must be intuitive and lead to efficiency, effectiveness, and agility for operational resilience and continuity.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.