1.      Nobody outside of your team understands your job

Your role will often be perceived as that of a problem-solver in the realm of Governance, Risk, and Compliance (GRC). Frequently, companies lack a clear vision for their GRC program. As a Risk Manager, you might commonly be seen as primarily responsible for managing audits. Subject Matter Experts (SMEs) may view you as a bearer of bad news and additional workload.

Solution:

• Enhance Visibility: Regularly provide updates and share successes related to GRC activities to maintain transparency and demonstrate progress.
• Forge Alliances: Collaborate with groups that have a stake in GRC matters, such as Project Management, Internal Audit, and Information Security Leadership, to create a unified approach.
• Adopt a Collaborative Approach: Position yourself as a reliable and accessible resource for all GRC-related matters, even for minor issues, to foster a culture of cooperation and trust.

2.      The Challenge of Motivation in GRC Tasks

Often, motivation to complete Governance, Risk, and Compliance (GRC) tasks stems from fear. It's a common perception that GRC is a “necessary evil”, primarily to satisfy auditors. During job interviews, you might frequently be questioned about whether you'll be collecting evidence yourself or delegating it to Subject Matter Experts (SMEs). This can imply that the GRC role is often seen merely as an “evidence collector”.

Furthermore, SMEs may not fully understand their role in GRC, leading to their participation being driven more by fear of upcoming audits and previous findings than by understanding the importance of their contributions. This mindset can create significant resistance to completing GRC tasks, especially when they are perceived as interfering with the SMEs' regular day-to-day activities.

Solution:

• Collaborate with SMEs: Partner with Subject Matter Experts (SMEs) to ensure they have sufficient information and understand their complete responsibility within their area of expertise.
• Establish a Top-Down Approach: Implement a top-down strategy, ensuring that you have comprehensive support from the Leadership team for effective execution.
• Use Recognition and Rewards: Acknowledge and incentivize both departments and individuals who show effective engagement in Governance, Risk, and Compliance (GRC) activities.

3.      You will not be provided with GRC tools

If the company you are working for possesses a fully functional and effective GRC (Governance, Risk, and Compliance) tool, it might merit consideration for prestigious accolades, akin to a Nobel Prize nomination in the business world. That is a humor of course.

The reality, however, is that in many instances, you may not be provided with the necessary tools to manage GRC (Governance, Risk, and Compliance) tasks, yet you will still be expected to deliver outstanding results.

Solution:

• Leverage Existing Resources:Most companies have some tools in place, like spreadsheet management applications or ticketing systems. Mastering Excel formulas or creating dashboards in Jira can be incredibly useful.
• Use project management methodologies: Prioritize tasks based on risk impact and compliance requirements. Focus on areas with the highest risk or are most critical for compliance.
• Training and Education: Train yourself and your team in basic risk management and compliance principles to compensate for the lack of specialized tools. A well-informed team can be more effective even with limited resources.

Nothing is impossible when you have passion for your work. Focusing on solutions instead of problems is the most effective approach. Always begin with a clear vision of the desired outcome and then explore ways to achieve it.

Please comment below with your experiences in GRC.

• ShareCopied to clipboard
• LinkedIn