How visualisation boosts success in using technology for GRC

It’s been intriguing to see the impact that visualisation has had in the world of GRC – in both the ability to see into the future as to what models and performance GRC technologies can deliver, and also the ability to have meaningful insight into volume risk and compliance data.

I recall several years back one particularly difficult GRC project where an access management tool was to be implemented to help the Head of SAP deal with repeated audit matters. There was very little enthusiasm for the project amongst those IT staff involved, let alone the business users, and this became a key issue in why the project was barely successful and ran over time.

Fast forward to a little over a year ago, and a similar pressing need and scope, but this time, even before getting into the project, we used our robotic GRC system generator to build a prototype and pointed it at their SAP system and then mocked up a dashboard with the findings. Wow, what a difference! The first thing that happened was that everybody started talking (arguing?) about that initial view of their access issues, and what the impact could be. At the second meeting we had a load more representation from the business, keen to understand what this was really about and what exposures they could sort out quickly. This project suddenly gained real energy and momentum, with stakeholders actively making decisions and working out how to modify their operations to have safe access. The black art of GRC dissolved to be replaced by clarity on business performance. The original pain from audits had been overtaken by a real desire to control risk, with an energised engagement arising from the promise of at last understanding what was happening in their business. This was no longer some dull IT controls project, but a way of moving away from access control as something to be survived, to it being understood and regarded as a way of getting a grip on where real risks were impacting results.

The comparison for controls monitoring tends to be even more stark, where I’ve seen major organisations move in a few hours from “we don’t really need this” to “this could have a huge impact on our competitive performance – how fast can we move?”

So what’s it all about? My conclusion, having observed the different human responses when visualisation is used, is that it mostly comes down to three things:

Firstly, GRC is hard to define and can be seen as a bit of a black art – and it can feel awkward if you don’t understand it all, or it feels a bit too techie – and often that results in the people that we need involved backing away. However, make it easy to visualise what’s going on, especially in business terms, and suddenly the value is understood and desirable, and engagement improves.

Secondly, if you have a clear vision of the end-result, then all those involved (the sponsor, stakeholders, project team and end-users) are all aligned and on the same path – and much more likely to achieve desirable and real outcomes. I’m embarrassed now to think back to the early days of GRC and the post-implementation reviews that highlighted how little people understood about what they were getting.

Thirdly, decent reports or dashboards – and often not those that people first wish for – give meaningful and intuitive insight into risk and compliance performance – and that’s what drives better decisions that create better business performance. I’ve been amazed to observe how people react when their unit is in red at the bottom of a table of those with exposed risks: nobody has to prompt them and top management doesn’t need to get pushy – that unit will already be working to get up to amber – and often will emerge at the top end of the greens!

We’ve seen enough value from this to have made visualisation a cornerstone of how we do GRC technology projects now – and I’d recommend anyone to look further into this ahead of a project or investment.