Every company is different, no matter whether it is about their business processes, their maturity level and GRC objectives, corporate culture, as well as their set-up and IT. Yet according to our experience there are several common challenges when clients plan or endeavor to improve GRC automation. Here are the “Top 10” challenges:

Strategy & Planning:

  • Business case: How can GRC’s added value be gauged and how fast will your investment pay off?
  • Low-hanging fruit: Which GRC solutions lead to a maximum acceptance within the company, make management more aware and create positive publicity?
  • Get your roadmap: Which “best practice” approaches are most suitable for you? Can requirements imposed on ICS, risk, policy, or loss and exception management be implemented in parallel or step by step, integrated or stand-alone? How can user and authorisation management system be designed in order to comply with operative requirements as well as SoD compliance pressure?
  • Plan your landscape: Which components does the GRC system landscape have to contain? What kind of integration possibilities are available and how can existing licenses, resources and skills be applied in the best possible way?
  • Stay ahead: Which technical or functional innovations in the GRC portfolio of the software vendor can be expected short or medium term? Which UI and reporting capabilities were added recently as a result of innovations in SAP Fiori, HANA and BI/BO technology?


  • Get clean: Which tools can help to efficiently maintain existing roles or to implement new ones in a way to meet SoD requirements as well as the organisation and its processes? How can audit findings about critical authorizations be eliminated by means of an emergency user concept?
  • Stay clean: How can certification of the assigned authorizations or a sustainable mitigation process for residual risks be set up? How can compensating controls be integrated in the overall ICS?
  • Use synergies: How is it possible to consider additional lines of defense or compliance goals such as ISO 27001, efficiency or other requirements in the existing ICS? Is it possible to integrate ICS processes into risk management?
  • Get efficient: How is it possible to reduce the number of manual controls in the ICS framework without running additional risks? How can the CCM functionality be introduced and how many integration scenarios are there “out of the box”?
  • Increase acceptance: Which measures or functionality are necessary to simplify accomplishment of GRC tasks or make them even more intuitive?

We are looking forward to hearing from you if our “Top 10” appealed to you, or if you need further assistance.