GRC Automation: What Platforms Do Well and What They Cannot Do Without Human Oversight

February 22, 2024

About half the organisations that engage Cyberlinx for GRC work already have a GRC automation platform in place. That number has grown significantly over the past three years. The platforms are genuinely useful, and they have changed what compliance programme management looks like at a practical level. They have also generated a specific category of client problem: organisations that assumed the platform would handle compliance and discovered that the platform handled evidence collection, which is a different thing.

This article is not a criticism of GRC automation. The right platform, used correctly, reduces manual effort significantly and provides a more current view of control status than any manual process can. The point is that what these platforms do well and what they cannot do are both worth understanding clearly before you sign a contract.

What GRC Automation Platforms Actually Do Well

The genuine strengths of GRC automation platforms are in continuous evidence collection, integration with cloud infrastructure providers and identity platforms, and framework mapping. A well-configured platform can pull configuration data from your cloud environment, check whether controls are in their expected state, and surface failures in near real time. For organisations managing a large number of controls across multiple frameworks, the reduction in manual evidence collection effort is material and the improvement in control visibility is significant.

Framework mapping is another area where platforms add real value. When an organisation is pursuing multiple certifications simultaneously, the ability to map a single control to requirements across several frameworks and collect evidence once rather than multiple times reduces duplication considerably. The mapping quality varies between platforms and frameworks, and the mappings should be reviewed rather than accepted as authoritative. But as a starting point for multi-framework programmes, the capability is genuinely useful and would take significant internal effort to replicate manually.

Where Human Judgement Remains Irreplaceable

GRC platforms collect evidence and report on control status. They do not assess whether the control is adequate for the organisation's risk environment. A platform can tell you that an access review was completed. It cannot tell you whether the access reviewed was the right access, whether the reviewer understood what they were approving, or whether the outcome of the review was acted on correctly. Those assessments require a person who understands the context.

Risk assessment is the clearest example of what automation cannot replace. Risk registers managed through GRC platforms can be kept current and linked to controls. But the initial risk identification, the assessment of likelihood and impact, and the decisions about treatment all require human judgement from people who understand the business environment and the threat landscape. A platform that surfaces a risk from a pre-populated library is not performing a risk assessment. It is providing a starting point for one. Organisations that treat the platform's suggested risks as their risk register have not completed a risk assessment.

The Evidence Quality Problem

The most common issue we encounter in audits where a GRC platform is in use is evidence that is technically present but does not demonstrate what it is labelled as demonstrating. A screenshot of a policy document in an evidence library is not evidence that the policy has been implemented. An automated check showing that encryption is enabled on a storage service is not evidence that the encryption covers all the data in scope. Evidence quality is a judgement call, and judgement requires someone who understands what the control is designed to achieve and what an assessor will expect to see.

This matters most in the lead-up to an external audit or certification assessment. Platforms generate a lot of evidence. Not all of it is fit for purpose, and some controls that appear green in the platform view will not satisfy an external assessor. The pre-audit review process of testing evidence quality against what an assessor will require is work that cannot be automated. It is one of the most valuable things a GRC practitioner does in the period before an audit, and it is not something a platform can do on your behalf.

Getting the Right Value From Your Platform Investment

Organisations get the most from GRC platforms when they treat them as evidence infrastructure rather than compliance infrastructure. The platform manages the collection, storage, and reporting of evidence. The compliance programme, which includes risk assessment, policy development, control design, management review, and audit preparation, is built and operated by people.

If you are selecting a GRC platform, evaluate it on the quality of its integrations with the systems you actually use, the accuracy of its framework mappings for the frameworks you need, and the usability of its reporting for your stakeholder audiences. If you already have a platform, the question to ask is whether the evidence it is collecting is the evidence your auditors or assessors will need and whether the control status it reports reflects the actual state of your controls. Those two questions usually reveal where the programme needs human attention. To discuss how to get the most from your GRC platform investment alongside a structured compliance programme, contact Cyberlinx at info@cyberlinx.com.au.

Table of Contents
Resource Type
Blogs
Category
GRC
Written by
Indra Gunawan
Head of Consulting
Free Risk Assessment
Cyberlinx brand name with linked chain links icon above it in white on a black background.

Ready to secure your
business?