Be Wary of Over-Automating GRC

GRC-Macchiato

Don’t under engage your users by over-emphasizing convenience with GRC. Like fancy coffees, GRC automation is best enjoyed in moderation.

Roombas, Macchiatos and 21st Century Conveniences
“Convenience” drives so much of the innovation in the consumer market, often removing nearly all of the human interaction (or thought process) required to do a task. For example, consider everyone’s favorite robotic vacuum, the “Roomba.” For those unfamiliar, a Roomba is a dinner plate-sized robot that you set on your floor and power on. Once activated, it systematically patrols your floors, vacuuming up any dirt and/or dust bunnies it comes across; no human intervention necessary. Another example would be espresso machines – a vital piece of equipment in any coffee house. While this technological marvel allows us to procure our lattes and caramel macchiatos at near breakneck speed with the push of a few buttons, if the machine broke, would the barista know how to prepare an espresso manually (gasp!)?

Whether it’s reading a map or checking your spelling, each generation of gadgets and gizmos seeks to consume less of our time. I’m sure our forefathers would have a variety of smug remarks about how lazy all of this makes us and how we wouldn’t last longer than two of uphill miles it takes to get to school in the snow. But I digress – I promise this is neither a cultural rant nor a Roomba advertisement. My point is this: When implementing various business processes into a GRC tool – a technology used to make completing those same everyday processes more convenient (see what I did there?) – be wary of “over-automation”.

It’s About Efficiency, Not Convenience
Over-automation is a term I’ve used regularly for a few years now when it comes to GRC business process implementation. The precursor comments/actions have become pretty standard at this point. See an example below:

  1. Stakeholder(s) move manual, convoluted business process to the GRC tool. Processes are made more efficient by automating functions such as:
    • Notifications to users
    • Approval workflow
    • Assignment of tasks
    • Etc.
  2. Stakeholders and End Users alike are elated by simpler, expedited process. For a while.
  3. After an indeterminable amount of time has passed, a few End Users approach the Stakeholder(s), informing them that while the GRC process is 5 times faster than the manual process, they want to know if there is a way to make it even faster, requiring only 30 minutes of their time a week instead of an hour.
  4. More automation is built into the GRC tool for the business process.
  5. Repeat Steps #1-#4.

The situation above isn’t the only time over-automation happens, but it illustrates that automation can quickly become a snowball rolling down a hill, leading to vastly diminishing returns on your automation investment. Make no mistake; I believe that process automation is an incredibly useful thing, but only in measured doses. Time and time again I’ve worked with customers who want their GRC system to automate nearly everything about a business process when they were coming from a place where that was anything but the case. A tightrope must constantly be walked: you want your GRC tool to demonstrate value by simplifying complex business processes, but you don’t want to oversimplify them to the point that your End Users don’t understand the core concept of the actions they’re performing. You don’t want to ever overhear the following in your GRC program:

I’m not sure what exactly checking this box does, all I know is I have to check it and click Save before it disappears from my Work Queue!

Also, you want your Business Process Owners/Stakeholders to maintain a strong grasp of the process itself in case automation breaks down; just like you would hope that your local barista could craft you a soy vanilla latte should the espresso machine go on the fritz. Sure, it’ll take longer, but at least operations don’t come to a grinding halt.

Convenience Might Be Worth It, but It Isn’t Free
More automation requires more complex, higher-performing technology. With more complex, higher-performing technology come other issues. Take the aforementioned Roomba for example. Let’s say after a few months of using one, you notice that it isn’t able to effectively clean certain areas of the home (the stairs, under the sofa, etc.). Instead of vacuuming those areas yourself, you instead spend weeks “upgrading” the Roomba’s technology so that it now reaches those unreachable areas. Now, instead of being the size of a dinner plate and making just a gentle “prr,” my Roomba is now the size of a laundry basket and sounds akin to low-flying aircraft. This is all on top of the fact that it consumes much more electricity now and has single-handedly increased your utility bill by ~25%. Let’s also not dismiss the fact that after years of having the new-and-improved Roomba, your kids won’t know how to properly vacuum the house should the Roomba break down.

Don’t Conveniently Forget Common Sense
Don’t misunderstand me; I’m a huge advocate of GRC technology and the advantages it brings to an organization. I’m a proponent of using GRC tools to automate business processes, but enhancements must be paired with wisdom. The core tenants of IT have always been creating a synergy between people, processes and technologies. No matter how wonderful you think your system is, don’t forget the “People” side of the triangle. Many GRC tools out there will allow you to over-automate your business processes, but as the old adage goes: “Just because you can doesn’t mean you should.”

–Evan Stos, OrangePoint

This entry was posted in GRC Consulting, GRC Technology Implementation and tagged . Bookmark the permalink.

2 Responses to Be Wary of Over-Automating GRC

  1. auditguy says:

    Well said, Evan. These thoughts can easily be applied to other management tasks.

    In my specialty of management systems internal (and supplier) auditing, adverse conclusions (usually called “Findings”) are often transferred to the Corrective Action system. Automation of corrective actions can often lead to:
    – forcing all problem causes into an artificial list of six to ten reasons
    – flooding the system with trivial problems
    – solutions that focus on symptoms rather then diseases
    – hiding issues from senior management

    We loose the most-valuable human thought process.

    Dennis Arter

  2. opgrc says:

    Great perspective Dennis. Even when dealing with a process related to managing this blog, there’s a way to “automate” the replies to the blog comments. (Rest assured; this is not an automated reply.) Automation is here to stay, but let’s both hope that wisdom and human insight are two things that are never removed from any process.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s