Why Your GRC Framework is Going Nowhere Slowly

by Khululekile Sixaba

Lexi is a no-nonsense compliance officer that has never had a problem embracing change. What is a challenge, is getting those around her to feel the same way and get up to speed with whatever needs to be adapted and improved. Governance, Risk and Compliance are unavoidable in business, but despite this, Lexi is struggling to put a framework in place with everyone’s cooperation.

Unfortunately, many people are averse to change, and this can make Lexi’s job more difficult than it has to be.

Change is inevitable – it’s also unstoppable, and for Lexi, the sooner everyone gets on board with making this happen efficiently, the better. As the compliance officer, compliance is what matters the most to her because it’s her neck that’s on the line in the event of any non-compliance.

Moreover, an audit finding or any other discrepancy and the repercussions that would follow (like a hefty fine or lost license) would fall squarely on Lexi’s shoulders, so she has to avoid this at all costs.

1. Electronic Content Management

The biggest spoke in the wheel for Lexi is that she can’t be sure that everyone is being as compliant as they say they are.

From her vantage point, she can’t be sure how accurate the organisation’s data actually is. She has to take everyone’s submissions on their word but there is very little visibility of what everyone is doing and there may be scope for manipulation of data that Lexi would have no way of knowing. It’s just a spreadsheet after all.

Lexi knows that if she had a way of electronically collating and keeping a record of data from its various sources and stakeholders, in realtime, then she would have a way of keeping an eye on things.

Unfortunately, her situation is such that she is managing data and its fragile accuracy on a person-to-person basis from the top of the organisation down, and there is very little scope for accountability from any of them. Lexi has to contend with the ‘broken telephone effect’ as well as late submissions and other ‘human elements’ that threaten her ability to ensure compliance.

2. Governance and Risk and Compliance (GRC)

One of Lexi’s biggest fears has recently become a reality.

Data that she has on record from the company’s IT Manager does not balance with the external auditor’s findings and now the discrepancy is her problem because the IT manager claims that there was a misunderstanding and the “wrong spreadsheet must have been submitted by his department”.

Lexi knows that the company’s GRC framework is riddled with holes if she can’t hold her peers and superiors to account for the data they submit, and this kind of finding could cost her her job if the company ends up getting a hefty fine or has to face a legal tax dispute.

3. PoPI

Another compliance challenge that causes Lexi concern is new privacy legislation – both locally and abroad. The company she works for trades internationally and she has to keep Europe’s GDPR legislation in mind in their dealings with anyone in Europe.

In a similar vein as the GDPR legislation compliance, she must adhere to, PoPI is yet to be fully implemented in South Africa, but Lexi knows that putting systems and frameworks in place now to safeguard the privacy of their clients’ personal data should already be a priority.

Lexi could really use a digital solution that could help her put a system in place that would keep all of this consistent too.

4. Signature and Contracts

Getting the right signatures from all the correct stakeholders on all the appropriate documents is a logistical nightmare and one of Lexi’s least favourite tasks.

She has to make sure these documents are then also kept safely on record in such a way that they can easily be referenced again.

It’s a paper chase for Lexi, and often documents that have been signed by some stakeholders and not all will be misplaced by someone in the organisation and she will be responsible for starting the entire signing process from scratch again.

A cloud-hosted document that all stakeholders could access from wherever in the world they are would be much more convenient.

Added to this, Lexi would be able to keep track of who has digitally signed the documents and who needs to be reminded to do so.

5. Enforcement

Lexi’s challenge with the IT Manager has now taken another dramatic turn.

Going beyond the data submission inconsistencies from before and the awkward meetings that Lexi, the IT Manager and the Finance Department have had since then, Lexi has discovered that the IT Manager has let slip on another one of his responsibilities.

One of the company’s policies and procedures is to ensure that all data is routinely backed-up onto the server. This responsibility falls to the IT Manager.

After backing everything up onto the server, he’s supposed to do a test restore to make sure all the data is recoverable. He hasn’t done this and the latest iteration of backed-up data seems to be missing or corrupted. This spells disaster for Lexi, but yet again, the IT Manager shrugs his shoulders. There’s nothing he can do.

Lexi now knows beyond the shadow of a doubt that she is not able to ensure data accuracy or any kind of compliance when it comes to the company’s data on the server.

The impending year-end financials are not going to reflect well on Lexi in the wake of all these discrepancies and failed policy procedures and she wishes she had some kind of help to prevent this from having happened in the first place.