Multimatics Insight

3 Stumbling Blocks in Defining Roles and Responsibility in GRC (and How to Avoid Them!)

3 Stumbling Blocks in Defining Roles and Responsibility in GRC

The continuous improvement of business and technology amid the digital transformation era is powered by ground-breaking innovations. As a result, governance, risk, and compliance (GRC) professionals need to align processes and tools to anticipate new risks and comply with regulations. While various technology and inventions are continuously improving, GRC Management also manages to both control and support those inventions. Thus, GRC Management should also be specifically designed to respond to risk and regulatory challenges in the digital transformation era.

GRC Management System Overview in 2022

The goal of GRC's risk component is to recognize, evaluate and manage financial, strategic, legal, and security risks while advancing corporate goals. According to The Risk.net/IBM survey, several drivers that accelerate the development of GRC Management in 2022 are including digitalization trends, digital channel reliance, and COVID-19 Pandemic. The survey also reveals that 60% of the respondents believe that digitalization has exposed gaps in their GRC processes, one of them is roles and responsibilities.

Defining Roles and Responsibilities GRC can be defined as an integrated, holistic approach to organization wide GRC ensuring that an organization acts ethically correct and in accordance with its risk appetite, internal policies and external regulations through the alignment of strategy, processes, technology and people (Racz et.al, 2010). However, the current GRC technology are outgrowing the earlier version. One of the main reasons why organizations are facing difficulties in presenting the progress and value of their GRC Management is because they fail to identify, define, and align expectations of the overall roles and responsibilities.
Below are three stumbling blocks found in organizations when it comes to defining roles and responsibilities:

1. Relying on traditional ideas

When putting details about roles and responsibilities accurately, it needs a full overview of tasks that should be accomplished in each phase. This means defining roles and responsibilities requires more than relying on the current GRC Management that already running in the organization. Most organizations are relying on their existing GRC Management document without further checking its reliability current needs.

2. Lack of Understanding of What Compliance Is

For organizations, defining roles and responsibilities requires updated knowledge and ideas about what compliance is, and things that should be done to achieve success. When people in the organizations are not equipped with sufficient knowledge and skills about risks or compliances, the roles, and responsibilities in GRC Management become not well-defined and lead to unclear work processes and measurement.

3. Don't Have Clear Mapping of Overall Compliance Aim and Attitude

Several difficulties that occurred when mapping the compliance aim and attitude are mostly found in putting priority and which areas to focus on, having clear attitude in how to implement the GRC management, as well as managing and improving compliance management. Therefore, roles and responsibility in GRC management becomes unclear and hard to measure.

Then, How to Tackle These Stumbling Blocks?

1. Sufficient Training and Awareness about Compliance

People involved in the GRC Management should be understand the focus of the GRC Management and the processes and tasks that needs to be done to accomplish great measurement. To achieve this, a sufficient training and awareness about compliance should be implemented. In this way, team will be able to align, involve with many people and improve their communication skills, and make clear tasks and assignments.

2. Continual Evaluation and Improvement

When designing a GRC Management, the team should evaluate carefully on how each role and responsibility works to see if each assigned team already aligned their work according to their roles and responsibility. The team and people involved need to conduct continual evaluation and improvement for opportunities for growth in all business operations areas.

3. Having a Solid GRC Strategy and Business Planning

Plotting roles and responsibilities also requires a solid GRC Strategy and Business Planning to ensure all involved team have effective roles and tasks that support the organizations' business objectives. Once a centralized repository is established, it can then be utilized for other programs such as new IT projects, vendor risk management, business continuity management, and others (Recor and H.Xu. 2017)


It is important for the organization to have clear roles and responsibilities planned out in their GRC Management. This enables plan and design a good structure for the GRC management system for future success. An effective GRC strategy not only saves time and effort in risk awareness and informed decision-making but also helps in improving the overall performance of the organizations needed to compete in this digital transformation era.

Liu B, Shi L, Cai Z, Li M (2012) Software vulnerability discovery techniques: A survey. In: Multimedia Information Networking and Security (MINES), 2012Fourth International Conference on. IEEE, Nanjing. pp 152–156. https://doi.org/10.1109/MINES.2012.202
Recor, Jef.; Xu, Hong. (2017). GRC Technology Introduction. Commercial Banking Risk Management. DOI 10.1057/978-1-137-59442-6_14

Share this on:

Scroll to Top