Is your outdated GRC software putting your business at risk?

GRC software has reached 20 years of maturity, and its fourth generation.  Many organizations purchased internal controls management tools in the early 2000’s to streamline the internal controls testing and certification process based on a COSO framework to comply with Sarbanes Oxley  regulations such as SOX-302 and SOX-404. 

In the late 2000’s risk assessment, IT General Controls management and Segregation of Duty reporting tools were adopted by organizations to follow a top down risk-based approach under the guidance of PCAOB AS5. In the last decade, the third wave GRC solutions were adopted to unify the internal audit, enterprise risk management and regulatory compliance “silos” to achieve integrated risk management for improved decision making and performance through an integrated view of how well an organization manages its unique set of risks. 

In 2020 and the new decade, organizations that have remained on outdated GRC software will be unable to mitigate emerging risks, face operational inefficiencies and lose competitive advantages as a result of digital transformation including big data, mobile devices, the Internet of Things (IoT), and social media—all of which contribute to an expanding risk profile. These include cyber concerns, data exposure, and privacy issues.

GRC Software Landscape 

The GRC software market emerged in the early 2000’s with the growing need to align governance risk and compliance activities after the well-publicized, meteoric rise and fall of major business such as Enron Corporation , an American energy company based in Houston, Texas, and the de facto dissolution of Arthur Andersen, which was one of the five largest audit and accountancy partnerships in the world. 

The first generation of GRC software such as OpenPages, Paisley, and Oracle Internal Controls Manager were largely focused on addressing the challenge of internal controls over financial reporting, and SOX compliance.

The second generation GRC software emerged in late 2000’s to address the broader need of enterprise risk management (ERM) and IT General Controls (ITGC) beyond compliance with key controls over financial statement, after  PCAOB issued AS5 guidance in 2007 for a top-down approach, directing the auditors to understand the overall risks to internal control over financial reporting including the identification and documentation of critical accounting application controls.   Organizations responded to the need to ensure effective IT controls testing by deploying GRC software such as RSA Archer to control IT and security risks, and adopted Segregation of Duties software such Versa for SAP, LogicalApps for Oracle and Approva for multi-platform.  

In the last decade, the need to integrate GRC on a unified platform was realized by many organizations to streamline functional areas of GRC under a single platform.  GRC software vendors like MetricStream and BWise, address this need by offering a modular approach to address various GRC functional needs on a single platform that serve the needs of various GRC related departments in the organization e.g., risk management, compliance, legal, finance, audit, security, etc

"All product names, logos, and brands are property of their respective owners. Use of these names, logos, and brands does not imply affiliation."

Over the past two decades, the GRC software landscape has not only been transformed by many start-ups that addressed the business needs, but also by acquisition for the rapidly growing GRC software firms by Big Tech such as OpenPages to IBM, Versa to SAP, LogicalApps to Oracle, RSA Archer to Dell. 

In the short term, the GRC deals enabled Big Tech to fill the gaps in their product portfolio to meet the growing GRC market demand, however, innovation road-maps were abandoned or significantly scaled back resulting in unmitigated emerging risks for GRC customers. For example, Oracle disbanded its global GRC salesforce and discontinued product enhancements in 2016; Dell Archer has not enhanced the reporting capabilities to support GRC dashboards and implementations require customizations to meet customers’ needs; IBM OpenPages user interface and GRC features have not been updated in over a decade.  Considering how IBM built its business on enabling transformation through the power of AI and Watson, the stagnation of OpenPages is an example of the shoemaker’s children going barefoot.

Business Justification to replace outdated GRC Software

Outdated GRC software supports a compliance-driven cost centre which requires extensive customization and an army of consultants as well as multiyear deployments and million-dollar price tags.

Today, organizations are facing risks at unprecedented speed such as global supply chain disruption from the COVID-19  pandemic, cyber threats, and the work anywhere model. Growing compliance mandates such as GDPR and CCPA are no longer a static set of requirements.

As organizations demand greater visibility and agility to respond quickly to changing market dynamics and emerging threats, GRC software must deliver capabilities to digitally transform risk and compliance to facilitate rapid user adoption on multiple devices.  Risk professionals must be able to manage the array of data points and processes required to meet their organization’s risk and compliance needs, at scale, and at the pace of innovation in the business. It should enable business to prevent and predict risks to stop losses, waste and fraud, by leveraging the latest technology innovation such as robotic process automation (RPA) and artificial intelligence (AI) by seamlessly connecting to all enterprise data sources.

Top Technology Risks of outdated GRC Software

• Organizations using outdated GRC software face many risks as the underlying technology becomes obsolete. These include a decline in user productivity, downtime from slower vendor response time on bug fixes, process bottlenecks due to lack of enhancements and innovations, as well as increased operating costs due to lack of compatibility and integration with critical business systems.
• A decline in user productivity can cost businesses dearly and increase unmitigated risks. Outdated GRC software runs slower than the fourth generation (4G) GRC platforms with unlimited computing power enabled by cloud infrastructure. Consequently, it takes longer for audit, risk, and compliance professionals to execute controls testing and ensure timely remediation activities. Legacy GRC software is often harder to use as well as inflexible and unintuitive compared to 4G GRC that can be securely accessed from any device using a modern interface for rapid user adoption.
• There is also a risk, that as time passes, there may only be a handful of employees who know how the software works, making knowledge retention more time-consuming and costly. User productivity takes a hit as new employees do not have the expertise to use the outdated GRC software.  As professionals with this know-how retire or move on, finding a fresh talent pool with this legacy knowledge is more challenging and costly. Using outdated technology fails to meet user experience expectations for new employees.
• Businesses experience greater downtimes as GRC software vendors discontinue or downgrade support resulting in a slower response time to critical bugs which causes missed audit deadlines, regulatory penalties and operating losses from unmitigated risks.  When GRC software is no longer supported by the vendor, it becomes unmaintained. This means that any new bugs found aren’t addressed and in a worst-case scenario, can lead to lead to disruptions and loss of data. Businesses are under pressure to maintain continuous controls over significant business processes.  If the GRC software impedes controls effectiveness together with a lack of trust can escalate into reputational risks. As technology increases in age, downtimes increase and become more frequent giving rise to a lack of management visibility. With no further bug fixes, security weaknesses can be exploited by human malice leaving your systems vulnerable to cyber criminals.
• Lack of enhancements and innovations create bottlenecks in governance risk and compliance processes across the company.  As businesses respond to market opportunities such as online customer relations management and adapt to remote work, the legacy technologies cannot be easily reconfigured to the process the new workflows, thereby creating an obstacle to valuable business drivers.  The lack of enhancements to GRC software can result in missed opportunities and hidden risks that can escalate control defects, increase audit costs and result in regulatory penalties.
• Outdated GRC software frequently doesn’t communicate with modern systems that require the latest integration API protocols such as JSON and SAML. With organisations running many different applications, (some on-premise, others cloud-based), if your legacy GRC software does not integrate well with your identity management system to support single sign-on or data exchange to automate control evidence management from critical business systems, you’re missing out on strategic advantage of modern audit practices.  Internal controls over business processes need to be flexible and agile which legacy systems can jeopardize.

In conclusion, deciding to upgrade may seem daunting but maintaining a system that no longer keeps up with modern business demands and is no longer supported by the manufacturer is a critical risk to your business.  

For more information on how SafePaaS can help you upgrade your legacy software