For years, Governance, Risk & Compliance (GRC) systems have attempted to be all-in-one solutions, housing not just the what of compliance – policies, risks, controls and links between them – but also the how – the workflows to manage them. While aiming for comprehensiveness, this approach often creates more problems than it solves, leading to fractured workflows, disengaged stakeholders, and ultimately, weaker GRC outcomes. It's time to rethink how GRC workflows are handled.
Think back to the evolution of IT infrastructure. We used to have fragmented databases scattered across departments, individual file servers holding critical data, and a chaotic mess of email systems. The move to centralized databases, shared storage, and standardized email platforms wasn’t about stripping away functionality; it was about integration. It was about acknowledging that specialized tools, working together, create a stronger, more efficient whole.
GRC is facing the same challenge. Increasingly, modern enterprises are standardizing on powerful workflow management tools like Jira, ServiceNow, and others. These platforms are purposefully built for managing work, boasting robust features, sophisticated automation, and deep integration with the monitoring and performance management practices of the individual teams. So why are GRC workflows often trapped within dedicated GRC systems, forcing stakeholders to learn another interface, monitor another backlog, and manage another set of approvals?
This creates friction. A DevOps engineer already managing sprints in Jira isn’t thrilled about needing to switch contexts to address a policy review request originating in a separate GRC system. It feels like “yet another thing” on their plate, diminishing engagement and slowing down the process. GRC teams also suffer – the value of their work is lost if it’s not integrated into the regular rhythm of the business.
The solution isn't to abandon workflow management within GRC tools entirely. It's to shift the focus. GRC systems should excel at identifying, assessing, and reporting on risk and compliance. Instead of owning the workflow, they should trigger it within the existing, established workflow management ecosystem.
Imagine a scenario where a new risk is identified in the GRC system. Instead of initiating a lengthy review process within the GRC system, it automatically creates a task in Jira, assigned to the appropriate stakeholders. The review process, approvals, and remediation steps all happen where the work already happens, leveraging familiar tools and established processes.
The benefits are substantial:
- Deeper Stakeholder Engagement: Meeting people where they are, within their preferred tools, dramatically increases participation and ownership.
- Streamlined Processes: Eliminating context switching and duplicate effort accelerates workflows and reduces administrative overhead.
- Integration with Performance Management: Leveraging existing workflow platforms allows GRC metrics to be integrated into existing KPIs and dashboards. DevOps managers can track compliance tasks alongside sprint velocity, providing a holistic view of performance.
- Reduced Complexity: Fewer systems to manage, fewer interfaces to learn, and a single source of truth for all work.
It's time for GRC to embrace the power of integration. By connecting to best-of-breed workflow management tools, we can move beyond isolated silos and build a truly collaborative, efficient, and effective GRC program.