The Importance of GRC as a Risk Initiative: Q&A with Mary Upshaw

Origami Risk has expanded its operations in the UK, Europe, and Middle East due to rapid growth in the region. Mary Upshaw, Head of Professional Service – EMEA at Origami, discusses the current risk landscape, expected trends, and the role technology plays in an effective GRC programme.

From the perspective of a client executive who is working very closely with UK and EMEA-based organisations, what are the most pressing issues risk managers face in regards to GRC?

There are a few that come to mind. The first is dealing with regulatory change. How do organisations stay on top of risk associated with regulatory compliance when the landscape is constantly changing, the jurisdictions that companies reside in are growing, and laws around privacy are growing?

The second is getting different groups and departments within an organisation to work together toward a shared GRC approach. For example, there might be an internal controls team that rolls up through the CFO; an enterprise risk management (ERM) team that works for the CRO; a business continuity management (BCM) unit that flows through a CTO; and a compliance group that reports to the general counsel’s office. Risk managers need to set a tone that conveys that all of these groups must work together in order to reap the benefits of GRC.

Finally, there is a major tactical issue that risk managers face. If you’re a relative newcomer to GRC, you are most likely tracking in spreadsheets. I’ve even seen tracking in Word and PowerPoint presentations. When these applications are used in GRC efforts, it often results in confusion as to which copy of a file is current.

How can the right software help address the above issues?

GRC software helps organisations stay on top of regulations by identifying the risks, mapping the activities that must be performed to the correct areas of the business, and driving follow-up to ensure that obligations are being met.

GRC software also addresses the need for collaboration and the sharing of accurate information by acting as the central hub of a GRC programme. GRC technology maintains a unique and shared risk language that allows for transparent risk-related information to be escalated as needed, and sets the tone for an entire organisation. In fact, many organisations use the implementation of a GRC software package as a catalyst for programme change.

What’s the most exciting trend you see developing in risk management or enterprise risk management in the UK and EMEA?

The emergence of business continuity as an extension of ERM, as opposed to BCM plans simply being a part of IT protocols and procedures. Organisations are going beyond asking “What can go wrong?” to saying “Here’s what we are going to do about it.” As a part of this, risk management is slowly being viewed as a proactive and beneficial part of an organisation, rather than something negative and reactive.

For organisations that are looking to acquire technology capable of supporting their GRC programme, how would you recommend they get started? What should they be looking for?

In order to get started, you first need to know where you are going. The first thing an organisation should be doing is setting a goal-based strategy for the next 1-3-5 years. Determine what the priorities are and understand the current and ideal maturity levels for each area. What does success look like? Only then does it make sense to start capturing requirements and developing process models for what they hope to achieve via a technology provider.

Once those goals are established, an organisation should focus on a few key areas:

  • Which technologies meet the documented needs of the business?
  • Which technologies are nimble enough to respond to the ever-evolving landscape that is GRC?
  • Which technology providers have proven they can deliver on their roadmaps?

How is the right technology crucial to establishing a GRC programme?

Technology isn’t meant to be the process. It’s meant to enable the process. If enablement is done well (i.e. is easy to use, does what it’s supposed to, and provides efficiencies and value to the business), then it will help the programme succeed. If any of those elements are lacking, then technology serves only as a roadblock. When users are frustrated, they will retreat to previous, siloed ways of working. At that point, risk is no longer central to the culture.

Also, look closely at the scalability of a technology solution. Taking into account your 1-3-5 goals-based strategy, will the technology be capable of maturing along with your organisation?

As with any rollout of a new process/programme, change management is critical. The technology used must be designed so that process is viewed as an improvement. Years ago, I was working at a large insurance company going through its first reorganisation. The quote provided by leadership to help us deal with the distractions and disruptions during the process has stuck with me to this day: “The pain of every change is forgotten once the benefit of that change is realised.” I often think of that when working with organisations to implement GRC technology that will support a programme. The benefits make it all worth it.

During your years with Origami, you’ve played an integral role in the new-hire process. What sets Origami’s talent apart from the rest?

We are very good at hiring people with a strong technical aptitude, but I’ve always found that attitude trumps aptitude. We hire colleagues who are solution-driven, eager to learn, and client-focused. The bulk of Origami’s new-hire training is spent on educating new hires on our culture.

We are partners with our clients, and we celebrate in our successes together. Our technology is only one part of the equation. Vision and service support are equally important. If a software provider isn’t a collaborative partner with each client, then both organisations will struggle, regardless of how powerful the technology solution is.

Request a demo of Origami Risk’s GRC technology.