Catch this episode on YouTube, Apple, Spotify, Amazon, or YouTube.
You can read the show recap here.
The world of governance, risk, and compliance (GRC) is often shrouded in complexity and overwhelming options for related processes and technology, especially when dealing with overlapping regulations. In this episode of GRC Uncensored, hosts Troy Fine and Elliot Volkman are joined by guest Martin Cozzi, the CEO of Pima. The trio further chip away at the current state of managing GRC programs and, this week, take aim at the current technology landscape. More specifically, understanding when, if at all, it makes sense to invest in a GRC tool to manage compliance. Or, maybe we can all just survive using spreadsheets.
The Role of Tools in GRC
During the episode, Elliot poses the quintessential question: “Do you need a tool? Do you need to invest in technology to guide you or get you through?” The conversation takes a deep dive into the necessity of tools within GRC. Martin makes it clear that tools vary in their usefulness, highlighting that "some of them are helpful. Others are maybe trying to do a little too much." He explains that it's vital for companies to discern their specific needs before deciding on the appropriate tools, emphasizing the diversity of GRC demands in sectors like SOC 2 compliance and beyond.
Challenges in Finding the Right Fit
A significant part of the discussion revolves around the challenges businesses face when seeking the right tools. Elliot and Troy explore the emergence of "legacy technology" and "handholding-type technologies," examining how these have shaped the landscape. They note that navigating this terrain often requires a nuanced understanding of compliance frameworks. Martin adds insight on newer tools, pointing out a potential drawback: "The downside... is that they don't give you any context." He argues that while these tools can provide initial assistance, especially for smaller companies, they often struggle to adapt to unique business contexts or support sustained growth. In more simple terms, if you outsource or use technology to maintain the understanding and value within compliance, you are just going to be checking a box. It won’t offer the necessary results to build trust, especially with third parties and larger customers.
The Human Factor in GRC
A critical point emphasized during the conversation is the importance of human expertise in managing GRC processes. Martin underscores this idea, suggesting, "The tools create more work...if your processes are well defined." He argues that having a structured process and responsible individuals within the organization is crucial. Troy reinforces this by highlighting the need for someone to be an expert on the tools, cautioning that relying solely on automated tools can lead to a "false sense of compliance."
Addressing GRC Tools as a Business Decision
The discussion presents a compelling case for treating the adoption of GRC tools as a strategic business decision. Martin emphasizes the importance of understanding both the cost and necessity of compliance. He states, "It's a math decision to be like, okay, we're not closing deals over a large amount of value. We should do it." This highlights the need for organizations to evaluate their GRC strategies within the context of their economic and operational realities.
In closing thoughts, Martin reflects on the adaptability and eventual outgrowth of businesses from the tools they initially relied upon.
By understanding the intersection of processes, technology, and business needs, companies can navigate the complexities of GRC with a clearer perspective and a more solidified approach tailored to their unique circumstances. Whether through spreadsheets and ticket systems or specialized tools, the conversation highlights the importance of aligning GRC practices with overarching business goals and realities.
So, should you invest in a GRC tool? If it makes business sense, and you don’t let it negatively impact the value created while pursuing framework goals (particularly for SOC 2 and ISO 27001).
Should you invest in a GRC tool to manage compliance?