Fields upon Fields in GRC

In my consulting and advisory work, conversations with control owners have made one thing clear – more and more First Line of Defense (1LOD) teams are getting bogged down by their own GRC systems. I continue to hear a common pattern of the Second Line (2LOD) teams overcomplicating data capture, adding fields under the assumption that more data equals better compliance.

2LOD functions typically use this information to gain better insight into the businesses activities and to better deturmine risk against the functions they are protecting. The challenge to the business teams is keeping up with the changes and the terminology. I often see fields added with names like “Update Last Review Date” or “Control Audit Operating Effectiveness” without gudidance of the value it brings the business in having this data in the first place. The overwhelming amount of fields turns from an opprotunity to find areas of improvement for the business and leveraging the data to reduce risk to a never ending journey of data governance.

Another startling discovery is the lack of discipline of data governance practices in GRC team activities. Unlike in other enterprise platforms like HRIS and accounting systems, where fields have a stronger tie to controls to meet the needs of the GRC teams – the lack of clarity around the purpose, data ownership/stewardship, and assessment of continued need seems to be driving away businesses from the vision of “integrated risk” and back to tactical GRC solutions.

In former roles in data governance, keeping things simple to get small wins quickly was my mantra to get the basics right, and in thinking of GRC data the same applies true here: