Professional Documents
Culture Documents
Global GRC Report Benchmark 2018
Global GRC Report Benchmark 2018
Global GRC Report Benchmark 2018
6.0 Methodology 20
How we collected the results
3. DOCREF:GGRC03/18
1. Welcome to the Global
Governance, Risk and
Compliance Benchmarking
Report 2018
Welcome to the 2018 Global
Governance, Risk and Compliance
(GRC) Report, collected by
Qualsys to understand how the
role of GRC is changing.
In February 2018, Qualsys Ltd
distributed the annual
benchmarking survey, asking GRC
Kate Armitage professionals about their day-to-
Product Quality Assurance
day roles.
Manager
Kate.Armitage@qualsys.co.uk
The 38 questions in the survey
were grouped into four broad
categories: GRC skills & areas of
focus, key roles and activities,
technology and systems, and
organisational culture.
The 202 responses we received
from many different industries
have provided important insights
into how the role is changing.
We’ve used the survey results to
answer three questions:
1) How are GRC professionals
spending their time?
2) What factors are influencing
the role of GRC?
3) What are the key priorities for
2018?
We hope that you'll find the report
insightful and useful in your daily
role.
2. Executive summary
Key findings from the global governance, risk
and compliance survey 2018
6. DOCREF:GGRC03/18
Key findings from the report
2.7
extra days per
month are spent
18% 99%
were promoted in don't feel fully ready
the past 12 months for GDPR
reporting than in
2015
24%
have effectively employed
18% 28%
have left a role because implemented an integrated
risk-based thinking they didn't have adequate management software
across the business tools solution in the past 2 years
3. How do GRC professionals
spend their time in 2018?
The role of GRC in 2018
8. DOCREF:GGRC03/18
How do you spend your time?
Percent
9. DOCREF:GGRC03/18
42 percent spend 5+ days compiling reports
A large majority of working time is spent compiling reports. 95
percent of GRC professionals mentioned that they spent their
time collating data for reports and sending them to employees
across the business.
On average, GRC professionals are spending 2.7 extra days per
month reporting than in 2015. 42 percent say they spend five or
more days a month compiling reports.
Tom Hodgson, Business Development Manager at Qualsys says
the results are inconclusive: "These results could suggest two
things. Either GRC professionals are spending increasing
amounts of time chasing departments to get the data they
need or they have better access to data and they are using it to
influence strategic business decisions."
10. DOCREF:GGRC03/18
75 percent say having measurable performance indicators is
important for their organisation
Instant Key Performance Indicator (KPI) Dashboards have
become more important, with 70 percent now agreeing that
they are an integral aspect of the organisation's quality
management system, an increase of 10 percent since 2015.
11. DOCREF:GGRC03/18
Improving the management systems
33 percent rated the maturity of their management system as
high. This is the second year in a row this has dropped,
suggesting the struggles governance, risk and compliance
professionals are having to get the tools and resources they
need is impacting their strategic objectives.
It fits that 70 percent of those who had implemented an
electronic management system in the past two years rated the
maturity of their system as "high".
12. DOCREF:GGRC03/18
4. What factors are
influencing the role of GRC?
Industry trends and changes
13. DOCREF:GGRC03/18
Information security management still a weakness for many
4 percent more GRC professionals are now managing the ISO
27001 certification compared to last year, and 8 percent plan to
achieve the information security management standard in the
next 3 years.
Robert Oakley, Commercial Director at Qualsys, was surprised
that information security and data management was not at the
top
. of the list.
“With the GDPR coming into force in May, I’m surprised data
protection isn’t at the top of every GRC professional’s list. GDPR
fines can be up to €20 million or 4 percent of annual global
turnover - it's a huge risk. It's too important to leave solely to
your CIO or marketing team. The GDPR requires the expertise of
GRC professionals and their structured process approach.”
In fact, only 1.64 percent report feeling fully prepared for the
GDPR; 18 percent feel well prepared; 40 percent feel somewhat
prepared; 23 percent feel inadequately prepared and 18
percent feel not at all prepared.
14. DOCREF:GGRC03/18
2018 focus on sustainability
Despite a lack of focus on the General Data Protection
Regulation, GRC professionals are spending more time
focusing on sustainability. 12 percent reported focusing on all
aspects of “the triple bottom line” - where they are balancing
the needs of their people, profit and planet.
32 percent now report managing the environmental
management system and more than ever are planning
certification to ISO 14001.
uk
"Do not work for "Check, check, and then check again."
companies who do "Emphasising
not believe in
quality." importance of an
integrated QMS to all
"Coping with negativity." employees and having
all employees actively
using the QMS."
Plans for 2018
"Extending the scope of the
quality management system."
"The value of electronic resources. An
effectively managed QMS to drive
continual performance"
"IT improvements and integrations."
"I'll be rolling out our EQMS software
across new territories."
"First, GDPR. Then ISO 45001."
"Implementation of 5S, and then
preparing to implement level 4 of
CMMI DEV, as well as achieving ISO
9001: 2015 certification."
"Environmental profiles for our product
range, and developing our EQMS."
20. DOCREF:GGRC03/18
The questions remained the same to 2015, 2016, and 2017, with
the addition of some new questions (including "How
prepared do you feel for the General Data Protection
Regulation coming into effect in May 2018?" ) for the direct
comparative data sets and new data.
21. DOCREF:GGRC03/18
7. What do you think of the
results?
Tweet @QualsysEQMS to
share your thoughts on the
survey findings.