At CoreStream GRC, we recognize that every GRC leader has a unique approach, which is why we tailor our content to suit different preferences.
Welcome to Part 2 of our Value-Based GRC series.
Following the foundational insights from Strategy Director Paul Cadwallader in Part 1, this post dives into three strategic steps to help you apply Value-Based GRC in practice. These actions are designed to keep your focus on driving performance and aligning GRC with business goals.
Read the full guide, here.
Watch the webinar conversation, here.
Revisit part 1, here.
A blueprint for better: how to begin your value-based GRC journey
Moving from traditional GRC to a value-based approach might seem daunting, but it doesn’t need to be an immediate, wholesale change. In fact, it’s often better to build support through 2 or 3 priority use-cases, first.
#1 Start with a sketch
The first step is to map out an architecture for how value-based GRC could work in your organization. This doesn’t need to be complex, a brainstorm on a whiteboard can do. With that, you can begin to socialize the idea within your organization, demonstrating where it can add value. Your goal is to paint a vision of how things will link together and help leaders and decision-makers understand the potential.
It is important to think strategically, as Trevor Adams, former group CRO of Nedbank observes, “It is about optimizing risk. And it’s as much about maximizing the upside as it is about minimizing downside risks.”
“Start the conversation. It can be as simple as a sketch on a whiteboard – but it unlocks hearts and minds.”
– Paul Cadwallader, CoreStream GRC
#2 Pick 2 or 3 use cases
Piloting 2 or 3 use cases initially will give you the best chance of demonstrating success.
Smaller scale initiatives can yield tangible value quickly and help win the trust and engagement of stakeholders. When executives begin to see GRC as an enabler of business objectives, broader support will follow.
Early focus areas might include:
- Third-party risk management – Segment and prioritize vendors based on criticality and risk. Select those with greatest impact (direct or indirect) upon your strategic objectives and ensure they are aligned with the organization’s strategy.
- Policy management – Review your policies and procedures. Are they linked to the continued viability of the business? Do they support the achievement of your strategic objectives? Can users find the answers to what they need quickly? If not, consider their purpose and value. Integrate policy management with your HR system to ensure that, as people are hired or promoted, they have immediate access to the information they need, ensuring effective communication, transparency and the best employee experience.
- Incident management – An incident is the crystallization of a risk. If an incident can affect achievement of a strategic objective, or the ongoing viability of the business, it should have a different management approach to other incidents. Ensure a proactive incident-management process that maps severity to the impact on principal risks and business outcomes. This will ensure teams stay ahead of the headlines and help to forecast trends so you know what’s coming and can mitigate effectively.
The use-cases you select should be those with the biggest impact on achievement of strategic objectives or the ongoing viability of your organization. This has to be balanced with speed and complexity to successfully deliver your initial pilots.
“One of the things that we’ve tried really hard to do is to be forward looking. Our strategy isn’t a maintain strategy, it’s a growth strategy,”
says Helga Houston, CRO of Huntington National Bank.
With several pilots running concurrently, you can also show the interconnectedness of a value-based approach, where everything ties back to the organization’s strategic pillars.
#3 Decide on metrics
Ultimately, your goal should be to articulate how value-based GRC helps an organization achieve business outcomes confidently, and with integrity. But, it can take time to demonstrate measurable value, so ensure you develop a blend of qualitative and quantitative metrics to show the impact of your pilots:
- Qualitative measures such as board confidence, stakeholder trust and cultural alignment. Articulating risk reduction, and getting ahead of events before they happen. These demonstrate a true risk culture, where employees across departments are actively thinking about risk, and the organization is capturing and managing this accordingly.
- Quantitative measures like demonstrable cost avoidance through early risk detection and mitigation; reduced time-to-insight, and faster board or regulatory reporting. These metrics must reflect the interconnected nature of value-based GRC. Siloed efficiency metrics do not reflect the value that comes from a truly value-based approach to GRC.
Cross-organizational efficiency metrics can present early indicators of success but, as noted above, this is not where the larger benefit will ultimately be seen.
A blended approach of qualitative and quantitative measures will ensure that the benefits of value-based GRC are visible in both operational improvements and strategic outcomes. Also, it’s worth noting that with risk-led decision making and true, value-based GRC, some of those benefits/outcomes might not be seen for years. You have to be patient and focus on the long-term, rather than traditional GRC, which is obsessed with vanity metrics to justify ROI.
“These forms of measurement/reporting shouldn’t be seen as adding bureaucracy. They should help to add value. If they are seen as adding to bureaucracy, you’ve made the process too complex!” – Paul Cadwallader
To help avoid the complexity, we’re offering a one-hour, bespoke, lunch-and-learn session with Paul and your enterprise risk and compliance teams.* During the session, Paul will provide actionable tips, candid feedback and a clear roadmap to value-based success for your GRC processes.
*Note, teams must include 3 senior stakeholders, either C-Suite or the level below, and the team must complete a comprehensive questionnaire to ensure Paul is prepared for the session.
Choosing your GRC technology partner
Choosing the right GRC technology is critical. 50% of businesses are unsatisfied with their current GRC tools (Risk.net) and, as you transition towards value-based GRC, you will need a tool-set that will support your ambitions.
What to look for in your next GRC tool
Here are key questions to ask as you evaluate alternative technologies:
- Can it connect the various components of your GRC architecture? – Will it support you in building a digital twin of your operations? Many solutions only offer predefined connections or a limited number of supported areas.
- Will it work for your operating model? – You can’t compromise your operations to meet the needs of the GRC tool. Will the technology work for your people, your balance of centralized vs. decentralized?
- How will the solution integrate with your existing technology stack?
- Are there hidden costs for additional users or customizations?
“My advice for my peers looking for a new tool: we developed a requirement document, and the [vendor] companies had some time to provide written responses before we selected them for a demo.” – Head of Risk, at Pool Re, Helio Correa
Articulate your requirements
Before you begin, be clear about what you need. This should be more than a list of features and functions. Those are great, but you need to think deeper. What are the processes you need to digitize? How do those work within your operating model? Essentially, what should be enabled by your chosen solution?
The other side of that is to ensure you undertake the necessary discovery and explore a variety of solutions that might meet your needs. What are their capabilities and flexibility?
UI/UX was a key requirement for NHS NUH Trust, for example, as Andrew Tait (who, as Data Protection & Security Support Specialist, handled SARs daily) explains: “Our previous system had challenges in relation to its user interface and being user friendly. We were looking for a solution with a more intuitive and streamlined interface.”
Challenge your vendor
Look at the responses from your potential vendor. Are they flexible? Can their tool fit your model and give you the 360-degree GRC architecture you need, now and in the future?
Challenge your vendor to prove it. You can’t ask them to build your final GRC solution as an investment, but equally don’t settle for a stock demo. Ask them to prove key elements of your interconnected GRC architecture.
The risks in using the wrong GRC tool
- 21% additional cost when using multiple tools due to overlap
- 73% or organizations need developer resources to update their GRC tools
CoreStream GRC: the last GRC platform you’ll ever buy
CoreStream GRC empowers risk and compliance teams, and the businesses they support, to achieve true value-based GRC.
We created the CoreStream GRC platform to be a flexible, no-code solution that empowers organizations to design their perfect GRC system.
Using pre-built, customizable features, it’s as intuitive and versatile as building with Lego bricks – the solutions are limitless.
Simply tell us what you need and we’ll deliver it, quickly and without unnecessary complexity.
Trusted by leading organizations and global brands like BBC, PwC Middle East, NHS, Fortune 500 and Shell Energy, we aim to consistently deliver real, measurable value for all your risk and compliance management needs. Now and into the future. In fact, with a 102% client retention rate, we’re confident that we’ll be the last GRC tool you’ll ever buy.
“Going from a manual process to CoreStream GRC, took it from 0 to 100 – truly game changing. We’re more accurate, complete and thorough with access to data exactly as we need it.” – PwC Middle East
“CoreStream GRC provided an adaptable and reliable solution that transformed our processes and reduced costs. They are a trusted partner for all technology initiatives.”
— Simon Rose, Operations Manager, Interactive Compliance, BBC
Lead the change you need.
The nature of risk is changing. At the same time, organizations everywhere face challenges to their bottom line. Traditional approaches to GRC – focused on compliance and avoidance – can’t keep pace.
Value-based GRC is more than a methodology. It’s an evolution from gatekeeper to growth partner. It is positioning GRC as a driver of strategic advantage, stakeholder trust and sustainable success.
For GRC professionals, this is an enormous opportunity, but also a challenge. GRC teams that seize the opportunity and lead the transformation will redefine their roles from administrators of compliance to architects of value.
The journey can start with a simple map, a few test cases and the right technology partner.
At CoreStream GRC, we aim to be the preferred and trusted GRC partner for enterprises worldwide by delivering intuitive, flexible solutions that drive efficiency and value, their way.
How can we help you on your journey to value-based GRC?
Book a complimentary workshop with your team and Paul, or schedule a demo today to find out.
“We found the workshop incredibly useful. Paul clearly has a great wealth of knowledge and I really appreciated the time taken to offer us an in-depth workshop tailored specifically to our needs. The style, pace and content were exactly what we needed and the discussion has helped clarify our thoughts and direction on Risk, Controls and Audit. I look forward to working together more in the future.”
(One of the largest employee owned companies in the world)
About Paul Cadwallader
When Paul’s not just helping clients succeed, he’s challenging them to rethink what’s possible in governance, risk, and compliance. With over 25 years of experience in the GRC space and a background as a former Deloitte Partner, Paul has a knack for transforming complex requirements into powerful solutions that drive real business impact.
