The CIO's Guide to Successful GRC Implementation


Tech Insights for ProfessionalsThe latest thought leadership for IT pros

Tuesday, June 2, 2020

What do CIOs need to know in order to effectively implement a GRC program? Read on to find out.

Article 7 Minutes
CIO high-fives colleague after implementing their governance, risk and compliance framework

When it comes to ensuring a business is operating as effectively as possible, meeting its objectives and doing so in an ethical, secure manner, the chief information officer (CIO) should be at the heart of any strategy discussions.

IT is essential to everything a business does, so there should be no part of a firm's operations outside the influence of these executives. As a result, it's vital for CIOs to have a strong understanding of business objectives and how they can help achieve them.

One area where it’ll be especially important for them to participate is in formulating a GRC strategy. In today's environment, no company can afford to be without such a plan. While the concept isn't new, it's gained significantly in importance in recent years, against the backdrop of tougher regulations and the fallout of the last financial crisis, which was characterized by poor oversight of critical operations.

Therefore, CIOs must familiarize themselves with these strategies. So what do they need to know to ensure they can help develop an effective GRC plan?

What is GRC?

GRC stands for governance, risk and compliance, though you may sometimes see the C referred to as 'control'. However, this is mainly a matter of semantics as, for practical purposes, the two terms are closely linked and can be seen as interchangeable. These three distinct but related practices are integral in ensuring every business acts responsibly, meets its objectives and protects itself from both internal and external threats.

Let's take a brief look at the three facets of GRC individually:


This refers to the rules, controls, policies, and processes that dictate businesses activities, and ensures that everything a firm does is aligned with its overall objectives. From an IT perspective, it often involves ensuring operations are able to effectively support business units.


This covers the identification and mitigation of any threats to the business' operations. It’s a wide-ranging area that covers everything from supply chain disruption to natural disasters, but for the IT department, key priorities will include steps to reduce the risk of downtime and data breaches. However, as IT now permeates every aspect of a business, they should have a say on any potential business disruption.


All efforts to ensure that business activities meet the relevant laws and regulations fall under compliance. This includes issues such as data protection and privacy legislation as well as industry-specific requirements such as SOX and HIPAA and any internal controls enterprises apply to their own operations. IT teams have an essential role here in securing data and ensuring it can only be accessed by authorized personnel.

Why focus on a GRC strategy?

Developing a GRC policy may seem like a box-ticking exercise to ensure rules are being followed, but if implemented correctly, it can be much more than this. Firms with a strong GRC framework won’t only be better protected from a wide range of threats, from changing industry landscapes to cybersecurity incidents, but also enjoy a range of other benefits.

For example, a good strategy will ensure businesses are much better integrated across all departments by eliminating a siloed way of working. This in turn provides better visibility into what’s going on, leading to better decision-making and improved investments.

It can also enhance your reputation among customers and investors. Corporate responsibility has become a top priority for many people when determining who to do business with, and having a good GRC strategy can help demonstrate that a firm is taking this area seriously. In this way, GRC can be seen as adding significant value to the business as well as protecting it from threats.

The challenges of implementing GRC

Implementing a strong GRC policy isn’t a quick or straightforward process, and there’ll be a range of hurdles to overcome along the way. However, being aware of these as early as possible and making plans to tackle them will go a long way towards ensuring a smooth implementation.

Here are some of the biggest issues you need to be aware of when developing a GRC strategy:

Ever-evolving regulations

No matter what sector you operate in, the regulatory landscape is tougher than ever, and frequent updates put even more pressure on departments with limited resources to respond. To counter this, it's important to have a clear, consistent strategy for monitoring developments in this area and implementing any required changes into your compliance efforts.

Dealing with siloed data

A major impediment to any GRC strategy will be an environment where data is frequently partitioned off across multiple departments and storage methods, making it difficult or impossible to effectively share information and gain full visibility of what's going on. Therefore, breaking down these silos needs to be a top priority for the CIO in any GRC strategy.

Inadequate reporting

As well as siloed information, another key reason for a lack of visibility into business processes is poor reporting, which can make it hard to accurately assess risk and determine if governance and compliance rules are being followed. Implementing a robust solution for reporting on key activities into a centralized system is therefore a key part of any GRC system. Without this, you won't be able to see where your efforts are working and where more attention needs to be focused to make improvements.

Internal resistance

As will likely be the case with any significant adjustment to how a business operations, there’ll always be some within the company who are resistant to the idea of change, or see the idea of GRC as an unwelcome constraint on their activities. To tackle this, it's important to have buy-in from the board and other senior staff members who can promote the strategy, and focus on the business benefits it can provide, highlighting that the positives will outweigh any extra responsibilities.

5 critical steps for effective GRC implementation

Once you have a strong awareness of the goals of your GRC plan and a clear idea of how to meet the challenges you may face, it's time to put it into action. However, this will be a complex process and there are no shortcuts if you want to see success.

As a result, there are a few key steps you should follow in order to ensure your GRC efforts bear fruit. Here are five to take into account:

1.Build the right framework

Ensure you have a comprehensive framework in place that everyone can follow. Different departments may have their own ways of doing things - but a major part of GRC is to improve integration and collaboration. A solid framework therefore ensures everyone is speaking the same language, leading to better integration throughout the firm.

2. Engage key stakeholders

Having senior buy-in is essential in ensuring the success of a GRC implementation. But gaining support at executive level is only the start - all stakeholders, including department heads throughout the business, need to be on board. By highlighting how GRC tools can offer them better visibility and can bring value to the company, you stand well-placed to gain this.

3. Have the right tools

There are a range of specialist GRC software tools available in order to simplify these processes by automating activities, coordinating policies and ensuring you're in line with regulatory requirements. Choosing the right one for your situation will be critical to success. Factors to consider include its ease of use, flexibility, security and the types of data it’s able to handle, as well as the level of support the vendor is able to offer.

4. Take it one step at a time

A GRC implementation is a big commitment, and attempting it in one big change can lead to many problems, as if any unforeseen problems crop up, it’ll be very difficult to make changes or roll back to previous systems while improvements are made. Therefore, taking things in stages, such as running small-scale pilot schemes that can identify and iron out any issues before the system is rolled out to the entire company, will be vital.

5. Monitor, modify and improve

A good GRC program shouldn't be static, but rather needs to be constantly adjusted and evolved to meet the changing needs of the business and cope with new regulations. In order to ensure any changes and improvements are done effectively, it's important to have a good monitoring solution in place to ensure practices are being followed throughout the business - and if they're not, quickly identify the reasons for this and what changes can be made.

Tech Insights for Professionals

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals.


Join the conversation...