5 Major Mistakes That a GRC Professional Should Never Make

GRC Mistakes

If you’re in the GRC field and you’re asked to join a GRC project as a professional consultant, a team leader or a project manager – avoid these 5 major mistakes. If you don’t identify these situations beforehand, you might be put in an uncomfortable position that could hurt your reputation. Avoid them ahead of time to minimize your risks.

The following five unfortunate scenarios are based on our partners’ and GRC consultants’ experiences.

1. SITUATION TO AVOID: Lack of management support

If you get into a project that you think looks good, but management is not into it – don’t proceed, or you can expect delays in timetable and budget. Especially in a medium-size company, if senior management is not in the kick-off meeting, if people aren’t saying that the GRC project is “the CEO/CFO’s baby”, if you don’t feel an atmosphere of stress in the air, then, this is a red flag and you should tread very carefully. Not having management support means that almost nobody will care if the project is delayed (except maybe you) and nobody will take responsibility for it.

2. MISTAKE: Planning to do the work manually

This is a recipe for disaster. If people in the organization are avoiding using good, established GRC software, it’s a bad sign. Using Excel just won’t work. Only by using GRC software will you be ensured that you’ll have a thorough GRC inspection, that the conclusions made from the GRC inspection will be soundly implemented and that the organization will be kept continuously clean from new risks. As with Xpandion’s GRC software, a good solution will enable you to define risks, eliminate risks, continuously monitor for new risks and to have good support from workflow processes that relate to risks. Doing this work manually means that you are essentially doing a one-time (and not foolproof) cleaning, and you will probably have to meet with your boss and the auditors every 6 months to justify why you have new violations. Using good GRC software ensures that these semi-annual meetings will be as short as they can be

3. SITUATION TO AVOID: Not customizing the rule base

If you hear that because someone wanted to save resources they decided to go with the “best practice” rule-set without adjusting it with a GRC expert, expect unhappy auditors. An organization must have their SoD rule-set as tight and tailored as possible. In short, the rule-set should be explainable, fit the organization (a shipping company can’t have the same rule-set as a hospital) and as small as it can be. These three things will ensure a successful implementation.

4. MISTAKE: Agreeing to a long term schedule

In 2014, things are done fast. Producing a new cell phone doesn’t even take a year, so why should a GRC project? A good project using an effective tool will see the first results on the same day the system went live. Install, upload the relevant rules… and voila! The first analysis report containing issues to fix is ready. If you really wanted to take it to the next level, Xpandion’s GRC software has a conflict resolver feature that immediately solves the issues too. Dozens of our customers have had their reports up and running within minutes.

5. MISTAKE: Reinventing the wheel

Over the past 10 years a lot of experience has been obtained on how to perform successful GRC projects with targeted goals. If you come on to a project and someone tells you that they must do something different to solve THEIR GRC challenges, think again if you want to work there. There are times when this is true, that the company is indeed very unique, but these instances are rare. In most cases, trying to reinvent the wheel will result in a delay in schedule and angry management. Try to follow the methodology of every other GRC project, while noticing that the uniqueness lies in the data (i.e. unique rule-set, unique flow of requests, etc.). This will ensure a higher chance of success and protect your reputation in the event that things don’t go as expected.


As you have seen, when it comes to GRC we tend to recommend following in the footsteps of other successful cases in order to increase the chances of the project’s success and for you to thrive. Having a successful project on your resume can never hurt your career. If you’re currently on a GRC project we encourage you to check out our GRC solution to increase your chances of success. Xpandion has vast experience in successful GRC projects and we would love to help you too.

Share With Your Network

Share on facebook
Share on google
Share on twitter
Share on linkedin