MINI DISSERTATION

UNDERSTANDING INTEGRATED GOVERNANCE, RISK AND

COMPLIANCE: STAKEHOLDER’S PERCEPTIONS
by
MALIGA NORMAN

202120686

Submitted in partial fulfillment of the requirements for the degree

MAGISTER TECHNOLOGIAE: BUSINESS INFORMATION SYSTEMS

In the
Department on Informatics

FACULTY OF INFORMATION AND COMMUNICATION TECHNOLOGY

TSHWANE UNIVERSITY OF TECHNOLOGY

Supervisor:
Prof. PR Warren

Co-Supervisor
Mr A Kgopa

Monday, 30 November 2015

 DECLARATION

I, Maliga Norman, hereby declare that this mini-dissertation, entitled GOVERNANCE,

RISK AND COMPLIANCE: HOW STAKEHOLDER PERCEPTIONS PREVENT
EFFECTIVE IMPLEMENTATION , which I have submitted for the M-Tech: Business
Information Systems degree, at Tshwane University of Technology, is my own original
work and that it has not previously been submitted to any other institution. All sources
used or quoted are indicated and acknowledged by means of a comprehensive list of
references.

_________________________

Maliga Norman Date: 2015-10-18

 ACKNOWLEDGEMENTS
I would like to acknowledge and extend my gratitude to Prof PR Warren who encouraged
and challenged me through this study. I would also like to thank the students who have
travelled with me and always reminding me to hang in there.
My family, friends you have been very supportive and giving me time when I needed it
most.

i
 ABSTRACT
The main purpose of the study had been to investigate stakeholder’s understandings, behaviours
and perceptions that create barriers to the effective implementation of GRC. The factor that led to
the conception of this study was a struggle for the studied company to fully utilise GRC solution.

The methodology used has been case study-based, gathering relevant data using interviews of
participants identified by a “Snowballing” approach in order to answer the key research questions.
The model of resistance theory was used, identifying several themes such as avoidance,
communication, politics and culture where used as guidance towards realising the findings. These
formed the basis for the interview question to gather relevant data.

The study made numerous findings which were aggregated into categories of resistance. The key
findings were complexity of GRC, lack of involvement, inadequate resources, lack of business
support, lack of ownership by management, lack of understanding and ineffective project
approaches. These perceived barriers inevitably emerge to create challenges during
implementation. Furthermore, this paper reveals that a more concentrated focus on the “people
factor” in GRC implementation is critical if these and other challenges are to be overcome

Integrated GRC has long been established as mechanisms for ensuring resources are deployed in
alignment with the corporate strategy and performance. The implementation of integrated GRC is
recognised as having value as a means to create a more efficient and productive enterprise.

Conflicting interpretations of what GRC involves, and a range of barriers and types of resistance to
its implementation, have prevented its effective implementation even in organisations most
interested in implementing it. The study identified that the “people and behavioural factors” were
often given inadequate attention in much of the research into this issue. The practical value of this
study was to highlight the factors that need to be addressed prior to or during implementation in
order to maximize the optimisation of integrated GRC solutions. This showed that stakeholders’
understandings and perceptions are significant in the success or failure of GRC implementation.

This study limits the scope of its investigation to an IT company and IT stakeholders. It is
imperative for future studies to focus on other stakeholders within other departments since there is
not much work done at this stage in this field among the stakeholders involved.

With the understanding of the people factors set out in this study, companies will be better able to
overcome the various barriers to effective implementation of GRC.

ii
Keywords: Governance, Risk Management, Compliance, GRC, GRC Solution

Table of Contents

CHAPTER 1...........................................................................................................................1

INTRODUCTION....................................................................................................................1
1.1 Introduction....................................................................................................................................... 1
1.2 Introduction to the Field of Study...................................................................................................... 2
1.3 Background to the Research Problem.............................................................................................. 4
1.3.1 Global Challenges..................................................................................................................... 4
1.3.2 Local Challenges...................................................................................................................... 4
1.4 Problem Statement........................................................................................................................... 5
1.5 Objectives of the Research............................................................................................................... 6
1.6 Research Questions......................................................................................................................... 6
1.7 Importance of the study.................................................................................................................... 7
1.8 Chapters Outline............................................................................................................................... 7
1.9 Summary.......................................................................................................................................... 8

CHAPTER 2...........................................................................................................................9

GRC LITERATURE REVIEW................................................................................................9

2.1 Introduction....................................................................................................................................... 9
2.2 GRC (Governance, Risk Management and Compliance).................................................................9
2.3 Integrated GRC............................................................................................................................... 10
2.4 GRC Controversies......................................................................................................................... 11
2.4.1 GRC Definitional Views........................................................................................................... 12
2.5 Stakeholder involvement................................................................................................................. 16
2.6 Perceived GRC Benefits................................................................................................................. 20
2.7 Related Work.................................................................................................................................. 23
2.8 Key Factors impacting GRC Utilisation...........................................................................................24
2.8.1 Avoidance............................................................................................................................... 24
2.8.2 Adoption.................................................................................................................................. 25
2.8.2 Communication....................................................................................................................... 27
2.8.3 Politics.................................................................................................................................... 28

iii
 2.8.4 Corporate Culture................................................................................................................... 31
2.9 Summary........................................................................................................................................ 34

CHAPTER 3.........................................................................................................................37

THEORETICAL FRAMEWORK..........................................................................................37
3.1 Introduction..................................................................................................................................... 37
3.2 Theory of Planned Behavior........................................................................................................... 37
3.2 DOI (Diffusion of Innovation)........................................................................................................... 38
3.3 Technology Acceptance Model....................................................................................................... 38
3.4 Resistance Theory (RT).................................................................................................................. 39
3.4.1 Resistance Theory in Information Systems (IS) research.......................................................41
3.5 Relevance of Theoretical Theories.................................................................................................42
3.6 Summary of the chapter.................................................................................................................. 43

CHAPTER 4.........................................................................................................................44

RESEARCH DESIGN AND METHODOLOGY...................................................................44

4.1 Introduction..................................................................................................................................... 44
4.2 Research Paradigm........................................................................................................................ 44
4.3 Research Strategy.......................................................................................................................... 45
4.4 Research Design............................................................................................................................ 45
4.5 Data Collection Technique.............................................................................................................. 47
4.5.1 Interview................................................................................................................................. 47
4.5.2 Observation............................................................................................................................. 48
4.6 Ethical Considerations.................................................................................................................... 49
4.7 Summary........................................................................................................................................ 49

CHAPTER 5.........................................................................................................................50

RESEARCH FINDINGS.......................................................................................................50
5.1 Introduction..................................................................................................................................... 50
5.2 Participants Demographics............................................................................................................. 50
5.3 Research Questions Re-visited...................................................................................................... 52
5.4 Findings Discussion.............................................................................................................................. 56
5.4.1 Lack of Involvement....................................................................................................................... 56
5.4.2 Limited Resources......................................................................................................................... 57
5.4.3 Insufficient Management/Business Support...................................................................................57

iv
 5.4.4 Lack of Ownership......................................................................................................................... 58
5.4.5 High Complexity............................................................................................................................. 58
5.4.6 Lack of Proper Project Approach................................................................................................... 59
5.4.7 Lack of Common Understanding................................................................................................... 59
5.5 Summary........................................................................................................................................ 60

CHAPTER 6.........................................................................................................................61

CONCLUSIONS AND RECOMMENDATIONS...................................................................61

6.1 Introduction...........................................................................................................61

6.2 Five Pillars of Effective Implementation..........................................................................................62

6.2.1 Avoidance............................................................................................................................... 63
6.2.2 Adoption/Deferral.................................................................................................................... 64
6.2.3 Communication....................................................................................................................... 66
6.2.4 Politics.................................................................................................................................... 66
6.2.5 Corporate Culture................................................................................................................... 68
6.3 Overall Recommendation............................................................................................................... 68
6.4 Conclusion...................................................................................................................................... 69
6.5 Further Research............................................................................................................................ 70
6.6 Limitations....................................................................................................................................... 71

REFERENCES.....................................................................................................................72

APPENDIX A: RESEARCH INTERVIEW GUIDE (Question themes)..............................73

v
 APPENDICES

APPENDIX A: RESEARCH INTERVIEW GUIDE (Question themes).

APPENDIX B: INFORMED CONSENT FORM.

ix
 LIST OF FIGURES

Figure 1: Frame of reference.

Figure 2: GRC model.

Figure 3: Stakeholders illustration in GRC solution.

Figure 4: Stakeholders model.

Figure 5: Silo GRC environment.

Figure 6: Integrated GRC environment.

Figure 7: Culture process model.

Figure 8: Stakeholders culture’s model.

Figure 9: Generic model of resistance to IT.

Figure 10: Adopted resistance model.

Figure 11: Research based approach to the analysis of findings.

Figure 12: Identified findings.

Figure 13: Research questions.

x
 LIST OF TABLES

Table 1: Governance, Risk and Compliance.

Table 2: Politics behaviours and characteristics.
Table 3: Participants demographics.
Table 4: Identified themes per participants.
Table 5: Identified themes vs Resistance themes.

xi
 LIST OF ACRONYMS

BP Business Process
BPR Business Process Reengineering
CEO Chief Executive Officer
CIO Chief Information Officer
DOI Diffusion of Innovation
ERM Enterprise Risk Management
ERP Enterprise Application Integrations
GRC Governance, Risk and Compliance
ICT Information and Communication Technology
IT Information Technology
IS Information System
MI Management Information
OCEG Open Compliance and Ethics Group
PWC PricewaterhouseCoopers
ROI Return on Investment
RT Resistance Theory
SOX Sarbanes-Oxley Act
TAM Technology Acceptance Model
TPB Theory of Planned Behavior
TRA Theory of Reasoned Action

xii
 CHAPTER 1

INTRODUCTION

1.1 Introduction

The aim of this chapter is to give a brief insight into this dissertation. This chapter first introduces
the field of the study, followed by the background of the research problem, and finally the
problem statement of which the goal and objectives of the study are outlined.

The key aims of the study are to understand how stakeholders perceive integrated approaches
to governance, risk management and compliance (GRC) and investigate why it is not fully
utilised, in this case in an IT organisation. The dissertation identifies general issues and
challenges identified in the case study.

There are four components that drive GRC and form its frame of reference, namely:
a) Strategy,
b) Processes,
c) Technology, and
d) People.

Almost all of these components have been extensively studied and documented in order to
understand how they impact GRC success, and yet failure still occurs. However, people are one
component that have not been full reviewed or formally analysed in the GRC context.
The company and its key stakeholders need to understand the GRC solution in order to take full
advantage of the solution or fully and effectively implement it. The literature review in alignment
with the theoretical framework discusses some of the common issue that contributes towards
ineffective implementation of information system, namely Avoidance, Adoption, Communication,
Politics, and Culture.

Below the term GRC, its origin, meaning and how people view it are introduced.

1
1.2 Introduction to the Field of Study

This section introduces the field of study and main concepts are discussed.

There have been naturally increasing interest to understand what GRC is all about and the
reasons for its existence. Over the last decade, companies have increasingly focused on
Governance, Risk and Compliance (GRC) solutions because of the escalated risks in business
environment, corporate scandals, and numerous increasingly regulations. Racz et al. (2010b)
has mentioned that PriceWaterhouseCoopers noted that GRC is not a new term and its various
elements have always been a concern to leaders in separate Governance, Risk Management,
and Compliance roles. However, the framework of an integrated approach GRC is new, and
when applied holistically, it can provide competitive advantage and add value to an organisation.
Here, this integrated approach will be referred to as the “GRC” or the “GRC solution”.

It remains a major challenge for organisations to fully understand the integrated approach of
GRC. Full awareness and understanding of the concept among people is often low and
inadequate. Racz et al. (2010b) notes that in 2007, the Open Compliance and Ethics Group
(OCEG) conducted a study where most companies revealed that their GRC convergence is not
yet fully implemented or achieved. Some other concerns raised include duplications of
operational efforts, unfulfilled audit requirements, policy enforcement, fraud prevention, and the
inability to achieve integrated approach across a business because of inconsistent strategies,
processes, and conflicting stakeholder’s expectations of GRC outcomes and capabilities.
GRC convergence (or the GRC solution) combines three distinct disciplines that in the past
existed in silos within organisations, namely Governance, Risk Management, and Compliance.
Rasmussen (2012) defines these three GRC terms as follows:
- ‘Governance’ refers to the culture, laws, and policies that characterise the way in which
companies are managed.
- ‘Risk Management’ is defined as a coordinated set of organisational activities aimed at
minimizing negative potential events while realizing opportunities for achieving a
company’s objectives.

2
 - ‘Compliance’ is the act of conforming and showing adherence to certain laws, policies,
and regulations.

Below diagram represents Governance, Risk Management, and Compliance elements as

discussed by Broady and Roland (2011).

Table 1 Governance, Risk and Compliance

(Source, Broady & Roland, 2011)

Governance Risk Management Compliance

 Corporate strategy execution.  Unable to satisfy and  External standards

comply with regulations compliance.
 Management of company (for financial reporting,
policies and procedures. trade, environmental  Internal standards
protection or safety). compliance.
 The way the policies and
procedure is communicated.  Unable to have adequate
governance structures to
 The way these policies and keep a company under
procedures are followed and control and effectively
updated. managed.

 The way these policies and  Unable to identify

procedure are kept up to date operational risks that may
 Controls management. have significant impact on
a business early

The most widely used definition of the GRC solution was given by Vicente and Silva, (2011)
defining GRC as a holistic integration of Governance, Risk and Compliance, helping
organisations act ethically and react proactively to risk, policies and regulations through the
alignment of people, processes, strategy and technology (SAP, Oracles and others).

Information Technology (IT) is defined as the use of computing and telecommunications to

manage information. It involves storage, processing, protecting, and retrieval of information. This
term is often used referring to the entire industry (Olanrewaju et al, 2011). Integrated
Governance, Risk management, and Compliance (GRC) is an emerging and important solution
in the Information Technology (IT) industry because it assists in automating processes to allow

3
business to proactively track risks, and simplify compliance and governance activities. However,
IT organisations are facing challenges in realizing GRC’s full capabilities given its complexity and
wide scope.

1.3 Background to the Research Problem

Technology and Applications have evolved over recent decades to become valued assets for
organisations. It is clear that managing resources manually has proven not to be appropriate if a
business aims to gain or maintain competitive advantage (Rasmussen, 2012). Consequently,
most IT organisations have opted for the implementation of an automated GRC solution as a
means to improve efficiency and productivity.

Integrated GRC emerged because previous approaches saw Governance, Risk and Compliance
managed in “silos” instead of as a complementary whole. This fragmented approach was not
appropriate for the new business environment, resulting in consequences such as the failure to
establish sound business processes and comply with new regulations (Dittmar, 2007).

1.3.1 Global Challenges

Since the 2002 Enron scandal, the US government has forced listed companies to comply with
tighter regulations such as the Sarbanes Oxley (SOX) law. With the emergence of new
regulatory interventions, GRC has become more popular and is a more effective solution for
companies to ensure compliance. However many companies are still facing challenges to
successfully implementing and using an integrated GRC solution (Tiazkun & Borovick, 2007);
hence, the potential benefits of GRC solutions have yet to be fully realised.

1.3.2 Local Challenges

South African based company has to comply with various regulatory mandates in order to
mitigate risks associated with them. Complying with each regulation across the business has
always been complicated, costly and a lengthy procedure. Risks are not effectively managed;
new threats inherited from new technology are difficult to track. It is difficult to enforce

4
compliance to policies and standards, because they are manually managed. This has led to the
misuse of organisational resources, and a loss of accountability within the organisation.
Processes are sometimes not followed, which makes it more difficult for management to make
informed business decisions. Hence, the need for integrated GRC platform became obvious.

This company also provides consultancy GRC services to some of its clients that are in need of
GRC expertise. They have consultants that have good experience and are knowledgeable
however they are working externally for the client, not supporting the internal implementation of
GRC within Business Connections itself. The external consultants have limited knowledge of
GRC solution of their employer as they are preoccupied with their focus on work for external
clients. As a result, internal GRC system appears to be only supported by internal employees
and not fully effective.

1.4 Problem Statement

Company audit reports are repeatedly identifying shortcomings in corporate governance,

inadequate risk management and compliance breaches. These events result in loss of earning,
theft of company resources, and damage to staff morale and company reputation. In addition to
these downsides, these failures deny the company the opportunity to capitalise and benefit from
the positive outcomes which effective GRC can provide.

If firms like the IT firm used as a case study, are struggling, if not failing, in their efforts to
implement effective integrated GRC solutions, it is likely that stakeholders’ perceptions or
understanding of GRC is a significant factor. do not fully understand the role that GRC
convergence plays in their organisation nor the benefits that it can provide. This confusion is
passed through to the stakeholders of the company, resulting in the GRC solution not being fully
utilised.

This study therefore enquires into the views of stakeholders that are likely to create barriers to
effective implementation of GRC. These barriers, as the case study will show, include problems

5
of misunderstanding, and adverse perceptions giving rise to various forms of resistance to
implementing GRC.

1.5 Objectives of the Research

This research paper aims to look at GRC not only from a technological perspective but through a
behavioural lens to understand what might enhance the ownership and adoption of the solution
by users. Given the existing challenges discussed above, the aim is to identify perceptions and
behaviours of stakeholder to the implementation of the GRC solution. Hence the objectives may
be described as follows:

Main objective:
To identify what stakeholder perceptions of GRC potentially create barriers to full and effective
implementation of GRC, particularly in an IT organisation or business
Secondary objectives:
- To identify the stakeholders’ understanding of GRC
- To identify stakeholders involvement in integrated GRC activities
- To identify the causes of failure of GRC implementation reported by stakeholders

1.6 Research Questions

Primary question:
- What are the perceived barriers among stakeholder’s to full GRC implementation?
Secondary questions:
- What is the awareness and understanding of GRC among stakeholders?
- How are stakeholders involved in GRC activity
- What do stakeholders see as the threats to GRC implementation in an IT organisation?

These Questions look at how a stakeholder’s perception of GRC can prevent an effective

6
implementation. Stakeholder’s awareness, understanding, experience and involvement will be
the main core areas to be investigated in order to find out any possible barriers preventing
stakeholder ability to fully implement GRC solution.

1.7 Importance of the study

Integrated GRC is relatively new, so this research will enhance the current understanding of this
approach by highlighting opportunities offered by the solution. Furthermore it will analyse the
levels of stakeholder’s perceptions of (integrated) GRC in an IT organisation. It will identify some
key issues that contribute towards the confusion around GRC implementation and expose root
causes of this confusion.

The literature shows that while people in various roles are required to participate in the GRC
solution, the perceptions of stakeholders is not widely acknowledged for the significant role they
play in achieving implementation (Spanaki & Papazafeiropoulou, 2013) (Blythe & Machold, 2011)
Hence, there is a gap in the literature focusing on the ‘people factor’ in GRC implementation.

This dissertation will argue that, if integrated GRC is to save a company effort, time and cost,
and deliver more productivity and more effective operational capability, companies will need to
be able to understand their GRC solution through stakeholders’ eyes to fully take advantage of
their GRC processes.

1.8 Chapters Outline

This section provides an outline of the rest of the chapters as follows:

CHAPTER 2: A GRC literature review, which includes issues to be considered

7
This chapter focused in reviewing other people’s work. Varies books, articles and journals were
reviewed with aim to outline what is already know from the study in question. Importantly, related
work, concepts and different pillars were discussed in this chapter in order investigate the current
gap.
CHAPTER 3: Theoretical Framework
This chapter discusses the theoretical framework that was followed to guide the study. Several
models where considered in order to pick the appropriate model that will best assist in
addressing research questions in line with the research objectives.

CHAPTER 4: Research methodology and design

This chapter’s aim is to present the methods that were used to collect the data. Each method
applied in this study is justified as to how and why it is suitable to be practiced in this particular
study. Stakeholders that participated in this study are presented and the methods towards their
selections.

CHAPTER 5: Data analysis and results

In this chapter, the research data that was gathered from the interviews and observations are
presented. This data was grouped into seven different themes that seem to appear most during
the interview. The aim of this chapter been to re-group or relate these themes to the pillars
identified from the literature review.

CHAPTER 6: Conclusions, recommendations and further research

This chapter interpret the findings from the case study. After the themes are been re-grouped to
these four pillars, recommendations are made as per individual pillars that were found and
discussed in the literature review, and then final recommendation was made to conclude the
dissertation.

1.9 Summary

This chapter serves as a guideline to this research and shows the importance of conducting this
study. It also provides the insight to the rest of the chapters. Research problem, background of

8
the research problem, problem statement and research contributions are introduced. Literature
review is conducted in the next chapter.

CHAPTER 2

GRC LITERATURE REVIEW

2.1 Introduction

Chapter 1 introduced the topic of Integrated GRC by discussing the concepts behind integrating
those three terms and highlighting some benefits and controversies around it. It also covered the
aim of the research, research objectives and methods to be used conducting this study.

9
This chapter reviews the existing literature with respect to integrated GRC. The approach to this
review will be as follows:

1. Clarify and elaborate on GRC terms, followed by the integration concept in order to assist
in better understanding GRC and its issues.
2. GRC debates what it represents and its meaning.
3. Perceived benefits.
4. Explore the stakeholders involved and their role.
5. Discuss some of the key issues arising from Resistance Theory within the GRC
environment.

2.2 GRC (Governance, Risk Management and Compliance)

GRC was initiated in order to enable governance, risk management and compliance to
communicate as already discussed on chapter 1 under introduction to field of study.

In many companies, most of the GRC functions have separate operation and focus, led by
different people who may not necessarily communicate (Dennings et al., 2013). However instead
of treating these functions individually, organisations can employ GRC suites that will provide a
holistic view of business processes, controls and applications. Dennings et al, (2013) further
emphasise that the GRC framework seeks to integrate policies and procedures ensuring that it is
rolled out to the rest of the business, not just only to governance, risk or compliance functions.
As indicated in Figure 1, the frame of reference is widely used depicting all components to be
considered when implementing GRC (Racz et al., 2010a).

10
 Figure 1: Frame of reference
(Source: Racz et al., 2010a)

2.3 Integrated GRC

Over the last decade, companies have increasingly focused on an integrated Governance, Risk
and Compliance (GRC) solution because of escalating risks in the business environment,
corporate scandals, and a growing number of regulations (Hayden, 2009). Although GRC
services within a business are fairly new, the need to implement and exercise controls has
always existed due to the regulations and standards constantly imposed on business. Racz et al.
(2010a) noted that PricewaterhouseCoopers considered that governance, risk management and
compliance are not new terms but had always been of concern to leaders working in those fields.
The perception of an integrated GRC is however new, and it is still a major challenge for
organisations to fully understand and apply this integrated approach of GRC. Awareness of this
concept among stakeholders is considered to be very low and inadequate. In a survey
conducted by Open Compliance and Ethics Group (OCEG) in 2007, Racz et al. (2010b) reported
that most companies revealed that their GRC convergence was not yet achieved.

GRC is widely discussed because it is relevant for all industries and sectors all over the world
and has impacts across all functions in a modern enterprise (Dittmar, 2007). Pooja (2014)

11
describes GRC as more than a catchy term used by consultants and technology vendors. It is an
approach for doing businesses which helps in harmonising a complete and coherent view of
governance, risk and compliance. Furthermore, it is about the sharing and collaboration of
information across the business, providing a 360-degree view of risks and compliance while
identifying interrelationships in today’s complex business environment.

GRC helps to address the regulatory burden in organisations of all sizes across every industry.
The burden of managing compliance goes from board to staff, employees to third parties,
involving every function within the company. Many GRC initiatives tend to focus on strategy,
processes, and technology, neglecting human dimensions or the role that people play in a
successful GRC (Blythe & Machold, 2011) . These authors further lamented that even the best
GRC, without people’s commitment, will eventually fail. GRC incorporates legal, risk, audit,
compliance, IT, ethics, finance, line of business, and others – working together in a common
framework.

2.4 GRC Controversies

GRC is viewed differently by companies and stakeholders, creating confusion towards what it is
and its primary intent. Different companies understand GRC differently. Some view it as a
security task, others as a fraud and audit function. Many companies still consider it as the
response to the Sarbanes-Oxley Act (SOX) (Shahim et al., 2012). This was supported by Gill
and Purushottam, (2008), pointing to GRC as a system to assist companies also to manage
other regulations such BASEL II, J-SOX.

A key challenge is that each of the individual terms has a different meaning across an
organisation making it difficult to understand the integrated meaning of those terms in the context
of GRC. According to Racz et al. (2010c), most organisations find it difficult to realise and build a
relationship between the GRC terms - governance, risk, and compliance. Their paper showed
how the three terms can be used together rather than be perceived as a burden.

According to Hardy and Leonard (2011), if one were to ask an IT professional what GRC is all
about, the answers would more likely address the individual definitions of governance, risk

12
management or compliance and comprehend an integrated approach. Hardy and Leonard
(2011), argues that the source of confusion originates from vendors who sell GRC as a
technology without understanding what it really is.

The range of different perspectives on how GRC is defined by different professionals is set out
below.

2.4.1 GRC Definitional Views

 GRC is like any other tool that monitors financial controls in ERP in order to improve
governance and automate audit processes (Caldwell & Proctor, 2009).

 Investopedia (2014) describes GRC as an integrated approach that is used by companies

in accordance with the guidelines set throug2.h governance, risk management, and
compliance.

 Steinberg (2011) defines GRC as a latest evolution of governance, risk, and compliance
that is utilised to describe processes and software that run the business world. It helps
companies managing their business better by deriving competitive advantage.

 Gartner (2011) defines GRC as the automation of the management, remediation, and
reporting of risks and controls against company’s objectives, taking into consideration
regulations, standards, and policies.

 Open Compliance and Ethics Group (OCEG) – describes GRC as a way in which
organisations strive to understand their stakeholder’s expectations and then directly
manage activities to increase the performance against those expectations while complying
with regulations and managing associated risks. This definition was quoted by Pooja
(2014) and it was derived from a number of consultants, vendors, legal, internal audit, and
other practitioners from OCEG member organisations.

 The officially used definition of GRC was given by Vicente and Silva (2011), defining GRC
convergence as a holistic integration of governance, risk and compliance, helping
organisations act ethically and react proactively to risk, policies, and regulations through
the alignment of people, processes, strategy, and technology.

13
Because of variances and debate of how GRC should be defined, Pooja (2014) took a different
approach arguing that it is easier to define what GRC is not. Thus GRC is not:
 About technology only, although technology plays a vital part
 Just about financial controls
 About the label of services that consultants provide
 About enterprise risk management (ERM), although it encompasses ERM
 About governance or risk management as separate individual issues.

According to Pooja (2014), companies must understand that vendors tend to define GRC to suit
their strength of offering and companies must not limit their discussion according to a GRC
technology vendor’s agenda. Pooja (2014) further advises companies to define GRC according
to their requirements and what works for them and not according to GRC vendors’ priorities or
interests. Companies should define GRC to fit and support their business strategy, not
influenced by vendors’ bias. They should have a GRC strategy and challenge the vendors to
meet it (Caston, 2008).

Because of the lack of knowledge and understanding about this integrated GRC solution,
organisations expect instant benefits while investing little time in human resources. As noted by
Vicente and Silva (2011), organisations need to be patient and not use GRC to specifically solve
any instant business issue. According to Rasmussen (2011), most IT organisations treat GRC
convergence merely as a technology. Rasmussen (2011) insisted on the fact that GRC is not a
technology but a suite of initiatives enabled by technology to implement the GRC solution.

In a similar vein, Dittmar (2007) in his study recommended avoidance of GRC definitional
debates since there is no scientific definition of this term, thus leaving room for vendors and
consultants to derive their own definition which suits their services and products. Companies
need to customise it according to their objectives and challenge GRC vendors to offer and setup
GRC according to the company’s specific needs. Racz et al. (2010a), support this view by
pointing out that there really is no common understanding of GRC among professionals.

According to Caldwell (2014), there are lots of people who are totally against this integrated
solution. They believe that integrated GRC does more harm than good and that it is almost
impossible to have these three disciplines function in tandem. Gartner (2011) argues that any

14
technology has its pros and cons. Consequently, companies need to take a proactive approach
to manage the risks that are associated with the constraints of the GRC. According to
Thiruvadinathan, (2014), GRC should include security(s) and privacy (p) to be a complete model.
Figure 2 shows how the security and privacy will fit in GRC model to be represented as GR (RP)
C.

Figure 2: GRC model

(Source: Thiruvadinathan, 2014).
According to Fernando (2011), the ‘C’ in GRC stands for Control rather than Compliance. He
also shares some of the challenges that come with GRC as stated below.

Challenges associated with GRC:

 Unique business function requirements – Most business units/functions have special
systems to meet their special need, which encourages individualised practices and
processes but not synchronising with the rest of the business.
 Entrenched legacy systems and processes – Stand-alone systems have isolated

15
 information that is difficult to integrate and expensive to replace.
 No agreement on who owns GRC – There must be a visible GRC champion, otherwise
multiple functions start to separate isolated initiatives or they just fail to participate. The
challenge remains on selecting the right champions, of which the Chief Financial Officer
remains a strong candidate to own GRC because of the enterprise-wide perspective and
Return on Investment (ROI) interest the position holds. Having said that, depending on
how the company is structured, any of the executive members may have potential to own
GRC.

Jan (2010), addresses some of the challenges in undertaking GRC initiatives as follows
 IT Infrastructure lacks advanced capability to handle GRC initiatives properly.
 Difficulty aligning corporate objectives with operation execution
 Difficulty integrating compliance data and risk
 Limited budgets to support GRC initiative.

Epicor (2007) concludes saying that the risks of not implementing GRC is worse than addressing
it head-on. Without GRC companies face:
 Exposure to risk and liability of financial penalties arising from compliance failure;
 Increased fragmentation of people, process and technology.
 Excessive drag over anything limiting company’s opportunities.
 Wasted time and resources.

Most companies rely on manual compliance processes; hence they struggle to effectively
manage risks. This shows up as a top contributor to audit findings (Rossiter, 2007).

The main question for those exploring GRC is how to get started with the right approach. There
must also have a success evaluation path that can help validate efforts through seen tangible
benefits. Because of the complexity of this solution, shortage of expertise, resistance to change,
and the cost of implementation, companies are reluctantly moving slowly towards realisation if
not totally considering this integrated solution. Hence the debate continues as to whether GRC
convergence is worth practicing in an IT organisation.

16
2.5 Stakeholder involvement

According to Aldrich and Anderson (2014), GRC must be marketed internally, using a common
language that is understandable by the company’s employees. The authors emphasise that
through feeding and proper care of people, GRC can grow deep roots within the organisation.
The company stakeholders who play a major role in the success of the GRC initiative include the
following:

Vendor

Management Administrator

GRC
Stakeholders

Consultant End User

Sponsor Auditor

Figure 3.Stakeholders illustration in GRC solution

Vendors: The main role for the vendors are to assist companies establishes their GRC strategy,
help selecting the appropriate tool to support the strategy.

17
Strong Executive Sponsor: The main role will be to influence strategic vision and support the
GRC team. Limited support from senior executives will often cause the program to fail, so
objectives, milestones and deliverables must be clearly stated to provide visibility on progress
(Mcclean, 2009).

Dedicated Management team: Accountable for developing, and maintaining communication

plan through setting the GRC goal and communicating to all subordinates. The management
team leads implementation strategy, assists stakeholders in understanding the bigger picture
and issues resolutions (Donnelly & Tran, 2009).

Technical Consultants: Provide the GRC expertise and assist with the implementation
strategy, defining system landscape, user management strategy, and provide the GRC team with
guidance (Donnelly & Tran, 2009).

GRC Administrator: Responsible for administration and configuration of the GRC software.
They are the main members of the IT Security team and must participate in defining the GRC
strategy (Donnelly & Tran, 2009).

Internal Auditor: Assist in identifying risks and affirm that internal management processes meet
the audit requirements on an ongoing basis. (Donnelly & Tran, 2009)

Security officer: Bridge the gap between IT and business by communicating Corporate IT
policies and ensure continuous compliance (Mitchell, 20075).

Corporate officer: Ensure compliance with increasingly demanding regulations and minimize
the risk of non-compliance. Also administer the policy management process that ensures that all
stakeholders have accurate view of all policies (Mitchell, 20075).

End User: According to Rasmussen (2013), GRC is everyone’s job in the organisation and
companies need to emphasise that. The user experience of GRC has always been neglected
and for GRC to be successful, employees must always be engaged. GRC solutions should be
able to deliver an exceptional end-user experience: getting employees involved by providing
intuitive interfaces into GRC that is social through conducting risk workshops and understanding
compliance in a business context (Rasmussen, 2013).

18
Blythe and Machold (2011) focused on human characteristics and their actions that make GRC a
success. They sought to influence people to establish a culture of ethical consideration when
doing GRC. The US Army’s “Be, Know, Do” Model of leadership was used to help the board,
managers, and supervisors to influence a thriving GRC culture. This model is often used when
companies are struggling to have GRC supported by stuff.

The above discussion shows the importance of engaging every stakeholder in order to
understand the primary role they play to produce a thriving GRC. Should any stakeholders not
understand their role it can lead to confusion caused by resistance to support the initiative.
Understanding their role means understanding how GRC is done. The majority of organisations
still don’t fully understand the term GRC let alone the relationship among these terms. It has
been claimed that there is no common understanding of GRC among professionals (Racz et al,
2010a). Professionals and organisations need to understand that the silo approach to the
management of governance, risk, and compliance is failing organisations due to the fast paced
environment.

There have been numerous surveys conducted aiming at the executives and other practitioners
(risk and compliance professionals, Auditors, chief risk officers, CIO, CEOs) involved in the GRC
program around the idea of what individuals understand to be best GRC practice. The idea was
to equip people with required knowledge to embrace GRC and implement it correctly however
they were done for only scientific study purposes, not to achieve the required change (Stephane,
2014).

Communication is not easy for departments when defining risk, because the element of risk is
often unique according to whether it is a Human Resource, Finance or Operational department.
GRC should not be considered as static since companies face lots of pressure from dynamic
competition, operational, financial, and operational shifts so they must keep their GRC dynamic
also (Epicor, 2007). Another main challenge remains as to how to garner management support
to embrace GRC initiative. Organisations must be proactive rather than reactive in managing
their GRC. Hence, management buy-in is an important factor in staying ahead of business
challenges that GRC can manage.

19
The model below illustrates the importance of engaging people to deliver or implement
successful GRC with its emphasis on people driving the business process and its effect of
achieving increased high performance (Thiruvadinathan, 2014).

Figure 4: Stakeholders Model

(Source: (Thiruvadinathan, 2014)

2.6 Perceived GRC Benefits

Effective GRC solution assists companies with management of resources and alignment of

20
business processes. GRC management assists companies to improve their operational
effectiveness and gain financial control however companies often lack the initiative, capability,
and technology enabler to give proper effect to GRC(Reference same as grc diagram).
According to the vice president and Gartner fellow in Gartner research, GRC approach allows all
risk management and compliance professionals to share risks and controls information,
eliminating any inefficient overlaps between risk management and compliance silos (Caldwell,
2014) (Gartner, 2011). Then Nissen and Marekfia (2013), mentioned that it is easier to
reinforce compliance and promote IT security awareness throughout all departments of an
organisation when GRC is in place. And projected that in the near future, companies will have
the GRC solution tightly integrated to business operations.

GRC can also attract investors by building trust in a company targeted for investment. Harries
(2011) mentioned that GRC gives customers confidence that the organisation will operate for
many years to come, hence companies with GRC practices are given priority by investors.
Furthermore, He claims that there has been an increase in demand for organisations to comply
with specific frameworks and regulations, and GRC is considered an appropriate solution. Kark
(2008) asserted that integrated GRC enables these three disciplines to work together as they are
interlinked and present important synergies. When used together – not in silos – throughout the
company, they are able to provide a good view of an IT environment and ensure accountability
within a company. Companies without the GRC solution in place are perceived to manually
manage their governance, risk, and compliance activities, hence costing more and wasting
resources (Frigo & Anderson, 2009). A mature approach to GRC helps connect the links
between risks, policies, complains, and overall business performance improvements.

GRC is increasingly deployed within IT organisations to improve security levels within the
companies. It was found that GRC can play a vital role in a company achieving its objectives, i.e.
With GRC in place companies remain competitive as the software reduces costs, and provides
continuous monitoring and automated controls (Sap, 2009). As the companies are struggling to
reduce the technology barriers, GRC has proved to become one of the most effective solutions.
GRC has become a new attraction in the IT market in such a way that most ERP vendors are
investing more in this solution (Kelly, 2009).

21
Issues that threaten the company objectives are more easily managed. This integrated solution
saves companies cost, time, and assets, making it possible to focus on other important aspects
of the business. According to Jan (2010) in the report aimed to provide guidance on achieving
effective GRC, it was found that when top performing companies demonstrated to have focused
on GRC strategy, business process evaluation, and technology analysis, this assisted in
differentiating them from competitors, growing their business and reducing costs. The final
recommendation based on the surveys where:
 Align staff Accountability to corporate objectives Alignment
 Find a platform to promote collaboration to ensure visibility on financial, strategic, and
operational plans.

GRC promotes staff accountability. It ensures that corporate objectives are met hence it must be
considered as a key element to the growth strategy. Most companies use GRC to improve
information visibility and process effectiveness in order to enhance new market opportunities.
GRC assists by automating the company’s processes however it can be expensive and can thus
fail to be taken up due to other priorities.

Key Benefits of GRC Management for Executives

 Instilling effective compliance in Executive and Staff Agendas
 Comprehending risks in money terms, long or short term risk
 Organisational initiatives prioritization in terms of risk level
 Meeting compliance requirements while creating revenue opportunities.

The following diagrams show how a corporate environment can be transformed from a silo
approach (figure 5) to a well managed integrated environment (figure 6) through GRC
implementation.

22
Figure 5: Silo GRC Environment
(Source: Complianceweek, 2006)

Figure 6. Integrated GRC Environment

(Source: Complianceweek, 2006)

23
2.7 Related Work

A PwC study done by Menzies et al. (2007), showed how an Enterprise Resource Planning
(ERP) system such as SAP could support companies towards GRC convergence and
processes. It was found that companies are able to derive benefits through integrated reporting
functionality and replace the burden of duplicative compliance, because it lays out a holistic
approach. This study was conducted at a high level but does not identify the role played by
stakeholders. It only provides an overview of the GRC role.

Another study conducted by Spanaki and Papazafeiropoulou (2013), analysed the GRC
implementation process. Interviews were conducted among stakeholders. The idea was to
produce the implementation plan and highlight the area where stakeholders should pay attention
during the implementation process. However, this study only focuses on the stakeholders that
are directly involved in the GRC implementation process. It failed to engage other personnel that
are administrating the solution and are critical to achieving the GRC solution and implementation
success on a daily basis.

Another study by Racz et al. (2010b) analysed how integrated GRC is perceived by GRC
professionals in large organisations. A survey was used to collect data and it was found that
GRC was an ongoing topic that requires more research. It found that there is a lack of common
forum for professionals to communicate and share experiences of GRC outcomes. The study
used a survey method to access the understandings of professionals. However this did not allow
stakeholders to express their views in detail and it focused on organisations from industries other
than IT.

Another study done by Wiesche et al. (2011) sought to understand the impact of GRC on an
accounting business. Observation of the data through control coherence and automation
revealed that the GRC initiative contributes to a more effective control system. The literature only
focuses on the impact of GRC on an accounting business at high level, not addressing
stakeholder’s impact.

24
2.8 Key Factors impacting GRC Utilisation

There are five factors that create potential barriers to effective adoption and implementation of
GRC solutions. The researcher has derived these factors from observations, theoretical
frameworks, and others have written about that they contribute towards difficulties in
implementing IT projects. These five elements are discussed below in further detail:

Avoidance
Adoption
Communication
Politics
Culture

It is anticipated that other factors will surface as further research explores the issues standing on
the way of fully integrated GRC adoption and implementation. However, the selected factors are
deemed appropriate to start with.

2.8.1 Avoidance
In this study avoidance is similar to resistance.
Avoidance is when stakeholders find it difficult to accept new technology in their environment. It
has been discussed in several papers where it was found that users find it hard to let go of the
incumbent systems and switch to those newly introduced. According to Polites and Karahanna
(2012), this finding is more valid in relation to older generations than younger ones.

Avoidance is regarded as one of the main hindrances that drive new systems projects to failure
and hence need to be managed and understood. According to Kim and Kankanhalli (2009),
organisations must support and ensure flexibility to change, as this reduces user avoidance.
Lapointe and Rivard (2005) added that when a new system is introduced, stakeholders will
assess it and if the consequences are threatening, then avoidance behaviours will surface.

Avoidance behaviours can be nonverbal, demonstrated by reactions, ranging from passive to

active avoidance, from no cooperation to physically destructive behaviour. Elements of passive

25
avoidance include lack of interest, delaying tactics, excuses, and withdrawal. On the other hand,
active avoidance includes voicing opposing views, making threats, or strikes (Markus, 1983).
Avoidance is viewed as a means by which users can show their dissatisfaction with the system.
There is extensive debate around positivity and negativity of avoidance. Keen (1981) however
associated avoidance with a black box saying it can only be situational.

There are countless numbers of costly ICT projects that fail because they were not successfully
received by intended users; and the explanation has been mostly resistance and fear of change.

Stakeholders do not always intentionally resist change. They react to a perceived threat that
comes with change. According to Markus (1983), people will likely use the system only when
they think it will empower them or their decision making. Hence it is essential that everyone
involved in the change be aware of the pros and cons of the system and how it will affect them.

Humphries (2014) quoted Rittershaus during the IT Web Summit 2014 claiming that employee
avoidance to GRC is a common problem in companies worldwide including South African
companies.

2.8.2 Adoption
Adoption is about how stakeholders accept the new technology into an organisation. According
to Markus et al. (2000), whether adoption happens early or later on, the competitive nature of the
organisation can be significantly affected by such decision. Although early adoptions provide
competitive opportunities, it also carries some risks as the technology is still new. On the other
hand, while late adoption is a safer approach as the technology has been tested and proven, it
can cost organisations as it is playing catch up (Applegate, 1994).

There is a lot of discussion about the advantages and disadvantages of early or late adoption
within the ICT environment. Management staff has a significant influence over stakeholder’s
adoption. There are multiple approaches to adoption - Smith (2010) lists three which are found in
technology adoption cycle:
 Early adopters - driven by business benefits but with an interest in new technology.
 Early majority – who keep an eye on deployment by the early adopters and then buy.

26
  The late majority - Follows a similar approach to the early majority, but are less confident
in their ability to adopt new technology.

According to Chang and Shaw (2005), the best business approach to the adoption with emerging
technology is timely adoption. It has been proven to provide companies with competitive edge,
however it begs the question as to when “timely adoption” should occur.

Carr (2004) argues that companies should stay away from emerging technologies to avoid the
risks that come with it. A new technology often comes with bugs and can cause companies
enormous problems. Hence, he believes companies should learn from early adopters and base
their decisions on the experience of others.

A primary driver for adoption comes from companies being under considerable pressure from the
competitors. This pushes managers to take aggressive measures to improve efficiency. It is
proven that good alignment of business strategy and ICT gives companies a competitive
advantage.

Rouse (2003) argues that adoption goes further than just choosing when to adopt a technology.
There needs to be commitment to use and incorporate the new technology in the business.
Therefore, there is a need to understand the technology and how the company will benefit from
it. There is also a need to raise awareness and recognition of the technology’s existence and
ensure that the new technology is used in business development. Hindle (2004) proposes that
companies must constantly make technology adaptable to handle new business opportunities.
Doing so can enable them to experience abundant wealth and success.

2.8.2 Communication
Behind any successful implementation there is good communication. The progress of a project
must be communicated between all stakeholders involved. Everyone involved should have a
clear picture so that they become part of the change from the beginning. “Communication is the
oil that keeps everything working properly” (Somers & Nelson, 2001). Stakeholders must not be
introduced to the system at the last minute when they are expected to be involved. As noted by
Starling (1993), the technical team often communicates or shares information less than they

27
should. Good communication must be established from the beginning of the project until the end
as it links project participants (Nicholas, 1989).

However, technical team tasks are driven by and focused on deadlines, often neglecting the
communication imperative. As a result, it makes it unlikely they will share knowledge, even when
they are believed to be effective communicators. This was reported by IT business respondents
who rated IT technical team communication levels low (Ives, 2005).

According to Garvin (2000), there is a lack of incentive within the ICT environment to share
knowledge. Organisations emphasise the fact that knowledge is power, however stakeholders
may be finding it difficult to share knowledge as this might be perceived as losing power and
having a negative impact on responsibilities and remuneration.

One risk is that ICT technical team members use technical language that makes it difficult to
communicate anything outside their environment or for other stakeholders to understand what is
being communicated. ICT project technical staff needs to improve on their communication
especially with end users and other business participants. The research conducted by
Campobasso and Hosking (2004), warns of the danger of underestimating the communication
role.

Beathet al. (1994) also comments on how ICT and other users have a communication problem
because of different language bases. Thus, communication and transfer of information is likely to
be more effective between business units with similar interests or skillsets (in terms of language
and goal orientation), compared to highly differentiated ones (Tushman, 1978). However a
project like GRC must engage a range of different functions across the company.

Communication is about listening too, which means effective listening and understanding how to
ask relevant questions are critical at that particular time (Kersey, 1999).

According to Kontoghiorghes (2005), communication should be encouraged, open and shared

freely rather than imposing a final product on users, as this runs a higher risk of rejection.
Stakeholders must be educated, persuaded, and then encouraged to participate on any new
system.

28
2.8.3 Politics
The nature of corporate politics is different to every company, which makes it difficult to define.
However no matter what definition is used by the companies the end results are political
behaviours. Pinto (1998), defines politics as a behaviour that is intended to benefits groups or
individual at an expense of a company.

Company deals with politics differently. Some are quick to condemn it whereas others take a
passive approach to address it. Even new individuals with less experience in a company have
experienced politics in their career. Senior experienced managers seem to be surprise by the
extent that politics affects their subordinate’s employees. It is very important to understand the
impact of politics as it can negatively affect the project implementation (Pinto, 1998).

According to Cacciattolo (2014), politics can be caused by many factors. Some of the factors that
leaders have to consider include resource allocation, lack of authority in an organization, unclear
goals, Autocratic decision making and uncertainties. All these factors are organizational
dependent.

While not denying the negative side of politics, again Pinto (1998), argued that politics is a
natural side of organization and must be acknowledged and organization must understand its
nature. For example for the decision to be taken there have to be a problem induced from politics
and the solution to the problems is often directly linked to policies updates. Organizations are
advised to define or make a perception of the role of politics in their environment. Politics can be
used to benefits the organization.

However there are lots of people that believe that politics is a core and unhealthy to
organizational goals. The earlier politics is addressed, the better will the organization’s start
improving their operations and employees relationships.
According to Mintzberg (1983), people are likely to follow below three political behaviours in a
corporate industry:
 Naïve – These individuals finds politics not appealing and don’t get involved in any
political activities and does not allow politics to influence their conduct.

29
  Sharks – Not so many people take the sharks approach. They use political objectives to
drive their own objectives. They likely to manipulate and influence their colleagues for
their benefits
 Sensible – These understand and apprehend the existence of politics, mainly from
experience; however they do not necessarily practice it. Unlike the sharks they would use
politics to win deals, get contacts for organizational benefits.

Detailed characteristics political behaviours are discussed in table below.

Table 2. Politics behaviours and characteristics

Behaviours/ Naïve Sensible Shark
Characteristics

Underlying Attitude Unpleasant Necessary Opportunity

Intent Avoid at all costs Used to further Predatory and Self-

department’s goals serving

Techniques Tell it like it is Network, Expand Manipulation, use

connections, use of fraud and deceit
system to give or when necessary
receive favours

Favourite tactics None, the truth will Negotiation, Bullying, misuse of

win out bargaining information,
cultivate and use
friends and other
contacts

30
Despite the characteristic that stakeholders decide to choose from above table, Brown & Hyer
(2010) discussed some of the common general non biased perceptions that are shared by
stakeholders regarding politics as follows:
 Most managers view politics negatively and they believe that negative behaviours causes
wasteful of organization time and resources
 Managers agrees that politics is common to all organization
 Most managers believes politics is more prevalent in senior people than lower level
employees
 Managers believes political behaviours usually surface when there is a new
implementation or structural changes within the organization

One of the reasons politics is so important during implementation is because implementation

process itself is political. Often because it can be viewed as power loss or gain by stakeholders
which is threatening. Mintzberg (1983) advise managers to be aware of political games that can
be played by stakeholders. These games are listed and discussed below:
 Gaining support from a higher power source or sources – sponsors and lobbying Alliance
or coalition building – Deals and mutual support or defence
 Controlling a critical resource – Money, people, information and expertise
 Controlling the decision process – control decision criteria and short list
 Controlling the committee process – agenda, memberships, minutes
 Use of positional authority – rewards and coercion
 Use of the scientific element - Planning and control
 Deceit and deception - Secrecy, hidden agendas or objectives
 Information – Distortion and withholding
 Miscellaneous games – divide & rule and whistle blowing

GRC leaders must admit the political existence within the company and address it head-on
because it can potential impact the project highly.

According to Pinto (1998), project leaders often underestimate the power of politics in a project,
increasing the chance of project failure.

31
When political behaviour surface, leaders are likely to fall under below responses:
 Denial - where they shift the blame to communication misunderstanding
 Acceptance without engaging – must get involved in order to learn the nature of politics in
order to channel it to the right direction
 Recognition without advice – Leaders must be armed with strategy and guidance when
political activities surface

Uncontrolled politics can turn to be acceptable which can spread and be perceived as a culture
in the organization. Culture is discussed below in detail.

2.8.4 Corporate Culture

Corporate culture is defined as a set values, beliefs, and patterns of behaviour that give
character to an organisation (Shili, 2008). Every person and function in an organisation is
involved in the GRC initiative in some way. Whether or not the company’s overhead increases,
success is totally dependent on the day to day conduct of employees’ work.

According to Rasmussen (2012), the GRC culture within an organisation should not only be
imposed from top down, however it must be managed from the leadership level and carried out
down through the organisation by the individual departments. Each must know and understand
what has to be done and be held accountable. Everyone must understand that their actions have
an impact on the success of GRC implementation and operation. Companies expect their
employees to work in accordance with their policies and procedures, however employees may
not be equipped with proper tools to assist them to work within those rules. More importantly
they may not understand fundamental reasons for the policies. Sometimes employees are not
even trained to support compliance requirements or any related GRC requirements (Dennings et
al., 2013).

Most companies are adopting ethical and corporate social responsibility in their GRC model as
drivers for behaviour management models. Some leading organisations are recognising the
importance of planning and as a result they are mapping their organisational cultures according
to their objectives and targets. Thiruvadinathan (2014) describes below a process to control this
corporate environment and promote good culture through effective planning.

32
 Figure 7: Culture process model
(Source: Thiruvadinathan, 2014)

There is increasing evidence that the organisation’s culture can significantly impact corporate
objectives. To ensure smooth running of GRC initiatives, organisational culture needs to be
taken into account (Dennings et al., 2013). Mcclean (2009) mentioned that the true success of
GRC can only occur when it is embedded within organisations culture. Employees should be
encouraged to uncover issues, raise concerns and be honest. This will ensure support and
participation.

According to Corestream (2013), there is no “one size fits all” in applying GRC but there are
common threads that can drive GRC to success. Corestream (2013) defines GRC as a
combination of practice, programme, and culture. Employees who understand the value and
importance of GRC are more likely to embrace it than just complying passively. Mandating
policies can create a desired culture however can also create segregation between business
stakeholders and the enforcer (risk management team/auditors). Hence adoption is sometimes
encouraged by giving incentives to all stakeholders, top to bottom.
33
Corestream (2013) proposed a framework that can assist in promoting the right culture within the
organisation (see figure 8). This model illustrates two sides:

On the right side, the board have to initiate the incentives strategy and push it down to
management whose role will revolve around educating their employees until they embrace or
understand the “big picture” and where they fit in.

On the left side, the meaningful Management information that comes after employee embrace
the change, allowing management to make informed decisions which then results in the board
being satisfied and assured.

Figure 8: Stakeholders Culture’s Model

(Source: Corestream, 2013)

According to Humphries (2014), GRC should not be viewed as policing because people will
always find a way around policies and rules. People should be empowered so that their mindset
changes to support the initiative. GRC should not be considered as just another project, but a
key cultural change process.

34
2.9 Summary

Most of the research conducted on GRC initiatives is high level and does not engage all critical
stakeholders that play a major role in the success of GRC. GRC is about a culture where
everyone is involved (Tarantino, 2011). Tarantino (2011) emphasised the importance of keeping
the stakeholders involved and understanding their views when doing GRC. This has been
supported by Vicente and Silva (2011). Most research that is carried out is based on surveys of
companies aiming to promote their GRC products or technology (Proctor, 2014). Both Paul and
Olive (2012) based their findings from these surveys conducted on different companies by
targeting senior management.

Farrel and Engels (2012) reported some findings from these surveys as follows:
 Surveys show that there have been an increase in demand to improve GRC, and senior
management are identified as the main driving force (Farrel & Engels, 2012).
 Although most respondents mentioned and recognize the need to improve GRC
convergence, few label it as priority in their organisation.
 The main barriers for many are seen as the complexity of integrated GRC, lack of
resources and lack of expertise.
 It is difficult to allocate GRC responsibility and the specific business area or function that
must be take ownership. Most functions continue working as silos due to poor
coordination.
 Some people struggled to find the link between risk and compliance activities.
 Most companies found it difficult to build risk awareness because of lack of coordination
among GRC activities and the cost of these activities seems to be increasing
 The majority of respondents view GRC as costly to invest in and it is seen as consuming
large portions of revenue available for other uses.
 Many companies suffer cultural resistance when trying to achieve GRC

This chapter has canvassed the definition of integrated GRC, its perceived benefits and the five
factors inhibiting its achievement of these benefits. In each case, it has become increasingly
clear that the perceptions and engagement of stakeholders are central to the successful

35
implementation of GRC.

While the literature addresses the complexity, benefits and barriers to GRC (Reference), the
importance of stakeholder perceptions is not extensively addressed in the studies identified.
Although there is little around stakeholders perception of GRC, general reviews related to ICT
project gave sufficient support. Most studies tend to focus on the processes and strategic side
neglecting the human side of GRC. (Reference) As pointed out by multiple researchers such as
(Blythe & Machold, 2011), the failure of most GRC implementation projects is linked to
stakeholder perceptions or understanding of the value of GRC and the relationships between
stakeholders during attempted implementation.

Based on this literature, it shows that more understanding of stakeholder perceptions and
understandings are necessary if solutions to the barriers to implementation are to be found. The
GRC solution is complex to comprehend and requires integral efforts from all concerned.

36
 CHAPTER 3

THEORETICAL FRAMEWORK

3.1 Introduction

Chapter 2 reviewed other researcher’s related work. Firstly integrated GRC and its concept
thereafter discussed how stakeholders view it. Followed by GRC perceived benefits and it’s
controversial. Lastly key factors that influences resistance where discussed in detail.

This chapter focuses on the theoretical framework that is used to guide this study. Resistance
theory has been the anchoring drive of this study. This chapter first introduces other related
social psychology theories, namely the Theory of Planned Behavior (TPB), Diffusion of
Innovation (DOI), and Technology Acceptance Model (TAM). Resistance Theory (RT) and its
background, will then be examined in more detail, why it is necessary for this study, and by how
researchers have applied RT in their work.

RT will assist in highlighting the underlying issues that are likely to cause resistance and
impediments to successful implementation of the GRC solution. Hence, it helps explain the core
objective of the study - why the GRC solution is not actively implemented within the studied IT
organization.

However, other potentially relevant theories need to be dispensed with first.

3.2 Theory of Planned Behavior

TPB is an extension from an approach known as the Theory of Reasoned Action (TRA). They
are both popular models in social psychology studies to explain people’s behaviors and
intentions. And they have been extensively used in analysing the IT industry. (Ajzen and
Fishbein, 1980). TRA investigates people’s attitudes, influences and intentions to predict
behaviors whereas TPB goes further to argue that people’s behaviors are predicted by their

37
willingness to perform the behavior. Under the TPB theory, people deliberately decide how much
effort they are willing to exert to perform the expected behaviour.

Both these theories have been successfully used in different situations to predict the
performance of certain behaviors and intentions towards, for example, adopting new software.
However TPB was considered to have more predictive power than TRA.
However, it can be seen that TPB describes how people behave but does not go behind their
choices to explain why they make a choice. In this study, we want to understand not merely that
people decide not to implement the GRC Solution but what drives them to resist implementation.

3.2 DOI (Diffusion of Innovation)

DOI theory is about the adoption and diffusion of innovation across an enterprise or industry.
Diffusion occurs when innovation is distributed or dispersed through certain channels over time
among others (Rogers, 1962). Rogers identifies four main elements that influence the spread of
a new technology: the innovation, communication channels, time, and a social system. There are
four different categories of adopters, namely: innovators, early adopters, early majority, late
majority, and laggards (Roger, 1962).

DOI is an appropriate theory for investigating technology adoption; however this study looks
beyond adoptions and channels of adoption to understand the barriers and options to achieve
adoption of GRC.

3.3 Technology Acceptance Model

TAM, identified by Davis, (Davis, 1989), is based on an extended perspective of TRA discussed
above. It was which was formulated to focus on the question of user acceptance of an
information system. TAM describes people’s attitude and intention to use the new information
system based on:
 Perceive usefulness - believe that the system will enhance job performance.

38
  Ease of use – believe that the system is easy to use with less effort.

In the past TAM has been a robust and powerful model for predicting people’s acceptance of
new information systems. Most studies using TAM assume that resistance is merely the opposite
of acceptance hence do not make any explicit reference to resistance from people. However
these assumptions were proved to be wrong (Klaus and Blanton, 2010). The TAM factors
influencing people’s potential level of acceptance does still not explain the other resistance
factors that impede acceptance. Hence, acceptance may be a necessary condition for people
implementing a system, but it may not be sufficient. There is a need for a more comprehensive
perspective provided by resistance theory in order to fully understand not only the necessary but
sufficient conditions for people’s implementation of GRC. Resistance theory is discussed below
in detail.

3.4 Resistance Theory (RT)

Resistance is defined as a challenge or disruption to a process or initiative. This is caused

because of changes within the organizational structure, social dynamics, or business systems,
which trigger resistance behavior. Resistance behavior is driven by fears that surface from the
intrusion of a new technology (GRC). It is also triggered by people’s perceptions or evaluation
whether the benefits of change outweigh the costs. More importantly, this behaviour is a
psychological reaction to perceived threats affecting their jobs, thus resulting in people avoiding
performing requested action by either arguing back or delaying the process.

People’s behavior is the primary measure of resistance. These resistance behaviors can be
classified into four levels:
Apathy – sometimes a temporary state that may lead to acceptance or rejection;
Passive – a mild or weak form of resistance evidenced by expressions of dissatisfaction;
Active – demonstrating strong oppositional behavior but still potentially controllable to avoid
being disruptive;
Aggressive – creating a high risk of disruption of desired processes and often not controllable.

39
Lapointe and Rivard, (2005) shared a resistance model that consists of five basic components as
indicated on figure 9: behaviors, object, subject, threats, and initial conditions. This model
assumes that resistance will be triggered through interaction between the user and the system.
And, if the evaluation is that the change is threatening, then the user will start displaying
resistance behaviors. Resistance starts showing through behaviors that happen when the
interaction between the initial condition and the object surrounding the subject of resistance lead
to perceived threats.

Figure 9 Generic model of resistance to IT

Source (Source: Lapointe and Rivard, 2005)

a) Initial Conditions - Inputs and outputs that already exist in the initial setting before the
introduction of any GRC solution.
b) Objects – New routine of doing work brought in by a new system such as the introduction
of a GRC solution and its processes that have to be followed.
c) Interaction – perceived difference between in the demand for the ‘improved’ IT solution
and the already established mode of work i.e. how people are interacting with the new
GRC solution;
d) Threats – perceived implications for stress, fear, or loss of power;

40
 e) Resistance behaviors – These behaviors can be one of the four forms of resistance
referred to above. In this context, the resistance will be reflected in the under-utilisation of
the GRC solution.

Thus in this study, RT is used to understand whether stakeholder’s perceptions of GRC can
influence the utilisation GRC. Better understanding of resistance will lead to more successful
application of GRC processes, leading to better outcomes for the organization.

Further details on how RT supports this study’s objective are provided on chapter 4: Literature
review. According to Markus (1983) many explanations arose as to what are the elements that
cause resistance. This study will revisit these factors such as communication, adoption,
resistance and culture. And they will be used to answer research questions.

3.4.1 Resistance Theory in Information Systems (IS) research

RT is used in order to reach a comprehensive understanding of what influences acceptance and
adoption of new technology, hence it is more appropriate in this study which aims to investigate
the reasons behind GRC under-utilisation. Little research has been conducted on factors
influencing resistance hence there are few theories and models regarding user resistance from
an IS perspective (Kim & Kankanhalli, 2009; Lapointe & Rivard, 2005). RT is so diverse and
complex, it can be witnessed from the board to a general employee in a company and the extent
of the behaviour can largely differs.

A study was conducted in an HR department to understand user resistance to e-recruitment

system. The study revealed that large number of HR employees showed negative resistance to
the new system. People who complained about the new system were from different
backgrounds, different organisational levels and different age groups. As a result, these
personnel found a way to avoid using the system leading to the organization not potentially
realizing the e-recruitment system. Klaus and Blanton (2010) discussed several different drivers
which determine where resistance can be found. These areas are shown on figure 10 and
discussed as follows:

41
People drivers – people perceive potential loss of control, power and uncertainty about the
future.
System drivers – complexity of the system
Organizational drivers – communication throughout project life cycle
Process drivers – people reaction to job changes.

People
System

Resistance

Process
Organisational

Figure 10. Adopted resistance model

(Source: Klaus and Blanton, 2010)

Following the above structure, this study will focus on the resistance by individual people.
(Laumer et al., 2012c), noted that understanding user reaction to a new system is very important.
And if not attended to, it can cause negativity making employees unhappy and will not be
productive. This notion was backed by the top CIO of an American company saying managing
change and resistance is very important however little formal research have been done on user
resistance (Luftman et al., 2009).

42
3.5 Relevance of Theoretical Framework

Although all these theories are different, they have certain similarities which make them relevant
to the study in question in some way. TPA focuses on the behavior and intentions that are likely
to affect stakeholders towards effective implementation, DOI focus on adoptions of the system
(in this case GRC solution) and the channels used to encourage adoption, TAM focuses on how
stakeholders perceive GRC solution usefulness and ease of use.

Lastly, RT focuses on explaining why people resist technology and provides companies with a
useful framework for understanding the forms of resistance before embarking on the
implementation process. Hence this study seeks to investigate such factors that are playing
negative role towards properly implementing a GRC solution.

The Resistance categories are based on the research literature as discussed above. The links to
the research for each category is identified in the table below.

Resistance Categories Research Reference

Resistance Markus, 2004
Adoption McElroy et al, 2007
Communication
Politics Markus, 2004
Culture Lin, 1994

3.6 Summary of the chapter

This chapter mainly discussed Resistance Theory as the underpinning framework for this study.
It also set out reasons for using RT in preference to the other theories. These other theories may
be useful to look at various aspect of the implementation process but only RT provides a
comprehensive analysis of the behavior barriers that need to be overcome. It also discussed the
elements that were studied in order to adapt RT as guidance towards understanding the reasons
behind GRC under-utilisation.

43
 CHAPTER 4

RESEARCH DESIGN AND METHODOLOGY

4.1 Introduction

This chapter sets out the research methodology applied to this research topic.
According to Perez (2008), a Research Methodology is a way of solving the research problem
using different sequential steps or methods. This is done through the planned collection of data
in a research project. The methodology should include the planning phase, data gathering,
analysis of the data and an explanation of how the data is used. The research methodology also
aims to engage the reader on how the data will be collected and used to answer the research
questions to be addressed by the project.

The research methodology here covers topics such as -

a) The research paradigm - where an interpretive paradigm is used as a form of qualitative
method,
b) Strategy - where case study is used; and
c) Design - where snowballing was used in identifying participants and
d) Interviews as a data collection technique.

This will be a qualitative type of research. Qualitative research is an inquiry approach that aims
to understand and explore a central issue (Creswell, 2013). It is a systematic way of
investigation. Qualitative research is useful to obtain specific information about opinions,
behaviour, and social contexts of particular populations. This approach was appropriate to this
study as stakeholder’s opinions, behaviours where found, during data collection, to be highly
relevant to the research question.

44
4.2 Research Paradigm

A paradigm is a model which molds what we see and how we understand it through
observations. It serves as a lens which we use to interpret the reality (Guba & Linconln, 1994).
This study followed the interpretive research paradigm. This paradigm suits this study, as it
interprets the reality through understanding and exploring human experience. According to Smith
& Heshusius (1986), interpretive approach is about observing people in their natural working
environment to understand and interpret how they create and maintain their social world (which
in this case was about understanding stakeholder’s perceptions of GRC in an IT environment).
This approach was used to understand the perspectives of stakeholders within the IT
organisation and their approach to implementing a GRC solution.

4.3 Research Strategy

The strategy used in this research is the case study. A case study is utilised to conduct a
detailed investigation at a specific instance and location (Yin, 2002). It is able to portray a studied
situation to others more clearly, at the same time simplifying the process and experience of
finding the data. The company “Business Connexion” was used as a case study for this
research. Business Connexion is one of the leading ICT Companies in the Southern
Hemisphere. The company is currently using a GRC solution and provides it to some of its
customers. This strategy is appropriate in this study where stakeholders’ understandings will be
intensely assessed in order to understand why GRC might not work effectively.

4.4 Research Design

The research design defines the type of study used to answer certain research questions. This is
about strategizing, planning the structure, and conducting the research (Creswell, 2013). This
study used the case study to investigate the organisation and collect data. Snowball sampling
was used in this study. According to Johnson (2005), snowball sampling is used where each

45
participant is requested to recommend another candidate who might contribute understanding or
be more knowledgeable in the applying of GRC. Stakeholders involved in GRC are not confined
to the case study consultancy but may be based on the client’s side. Therefore the study focused
both on the company’s internal GRC stakeholders and its external GRC stakeholders

Internal GRC stakeholders

Internal stakeholders focus in ensuring that the internal processes of the case study company
run smoothly for the company but don’t provide support to external clients. These stakeholders
are located internally within the company. These stakeholders include the IT Manager, Business
Analyst, System Administrator, Departmental Manager (Risk/Governance) and other general
employees.

External GRC stakeholders

External stakeholders are those who provide GRC services to the external client and ensure that
the external customers are satisfied with Business Connexion support. These stakeholders are
usually based in client’s premises. These includes Consultants and IT Manager.

A detailed stakeholder analysis was carried out in conjunction with the snowballing method to
identify key people to be interviewed. People to be interviewed were selected according to their
positions and experience, as well as their role and responsibilities in running GRC. It is therefore
necessary to work closely with the System Manager, Business Analyst, System administrator,
Departmental Managers, Auditor, and consultants.

The researcher anticipates getting insight into the GRC solution from these stakeholders:
 Firstly, end-users provide views on their daily activity. These will be used to gauge end-
user interests in using GRC solution and whether the solution is supported across the
firm. End user can be business process owners and consultants.
 Secondly, the System Administrator provides information regarding the solution usage.
They are responsible for administering the solution and providing reports.
 Thirdly, the SAP Manager is the one who identifies an opportunity and ensure that it
acquires the support needed from all required stakeholders.
 Fourthly, the Business Analyst understands the current needs of the business in relation
to technology and business goals.

46
  Fifthly, GRC Officers shares their use experience in GRC and the role it plays in their
department. More importantly the officer ensures that the GRC solution is performing and
doing what it is intended to do.
 And lastly, Consultants are the heart of GRC implementation. they provide information
regarding the layout of the GRC, implement and ensure that all functionality are working

These stakeholders are represented in table 1 of chapter 5

4.5 Data Collection Technique

According to Marshall and Rossman (2000), data collection techniques in qualitative research
can be categorized into following:

1. Interview
2. Observation
3. Documents review
4. Setting participation

The data collection techniques to be followed in this study are interview and observations. These
methods are discussed below in details.

4.5.1 Interview
This was the primary technique to collect information from people through conversation.
An interview is deemed appropriate for this study and is the most commonly used data collection
method in qualitative study. This technique works well when using interpretive research
paradigm to source the data (Coolican, 2014).

As per Zhang and Wildemuth (2006), some of the benefits for using interview technique include
the ability to interpret from participant’s actions and participants views of themselves and other.
Fontana and Frey (2005) say interviews can take many forms when being explored and can be
categorized into:

47
  Structured interviews – This approach is similar to having surveys and questionnaire,
where pre-defined set of questions drives the interview. This is less flexible to adding
more questions.
 Semi-structured interviews – The researcher can still have set of question but not limited
to it. This approach allows adding questions depending on the participant’s responses.
 Unstructured interviews – This approach has no predefined questions. Unstructured
interview is dependent on the interaction between the researcher and the participant.

This study used a semi-structured interview. According to Zorn (2008), this method is flexible as
it allows new questions during interview and is easy to record. A guide was used with a list of
topics and questions to be covered. The researcher used open-ended questions allowing
opportunities for probing questions and answers. Responses were noted down and recorded
according to research priorities. This method of collecting data assists with understanding
stakeholders experience when dealing with GRC solution.

Limitations: The researcher understands that this method was complicated and time consuming
when collecting and transcribing data.

4.5.2 Observation
According to Langley and Cubitt (1987), oobservation in a social research is about attentively
looking and listening carefully to the object being studied. This is usually done to explore the
behaviour of the participant and it can also provide important information during interview by
observing the body language. In this study observation was done on a GRC environment and
also the stakeholders, especially during interview period.

According to Marshall and Rossman (2000), there are two kinds of observations:
 Structured observation - This is planned and designs in advanced on what to look for and
focus on. And it strictly follows the designed list of what to observe.
 Unstructured observation – this is unplanned where the researcher only have a general
idea of what to observe in the setting. This method is used mostly in the interpretive
paradigm.

48
This study follow unstructured observation, the researcher has been working in the industry and
has an extensive knowledge and understanding of what to look for in the context of this study.
Behavioural patterns and body language of people were observed together with their daily
routines.

Limitations: The researcher understands the risks of bias during such a subjective observation
process. Hence structural observation was used and interviews were recorded and reviewed.

4.6 Ethical Considerations

The researcher understands that ethics requires that the research be conducted within the limits
of acceptable behaviour, both at a corporate and personal level. The research will be conducted
with honesty and corporate confidential information must not be divulged. Data collected for this
study is must be of high integrity and be treated accordingly.

“Research Ethics” from Tshwane University of Technology Policy was used as a guideline.
Participants were assured of their confidentiality and were requested to sign the informed
consent form prior to interview.

4.7 Summary

This chapter discussed the key elements of research methodology used in this paper, namely
paradigm, strategy, design and data collection. This paper will therefore use an observation
paradigm based (interpretive method) upon case studies which draw upon semi-structured
interviews to collect data from participants selected using ‘snowballing’ design.

49
 CHAPTER 5

RESEARCH FINDINGS

5.1 Introduction

The purpose of this study was to understand the perceptions of IT organisation stakeholders
regarding GRC within an IT company, in order to understand why GRC is not fully utilised.
Participants input and feedback provides good insights into the research questions posed in this
study. The interview canvassed the four research questions referred to below.

As discussed in chapter 2 (literature review) and Chapter 3 (theoretical framework) the key
categories of Resistance Theory are at play in preventing GRC’s integrated implementation. For
clarity, it is necessary to identify the multiple aspects which help explain more fully the nature of
people’s resistance to the GRC solution. These categories of resistance are represented below
in figure 11 and will be discussed as findings.

Avoidance Findings
Adoption/

?
Resistance Deferral
People
Communication
Politics
Culture

Figure 11. Research based approach to the analysis of findings

5.2 Participants Demographics

A total of six participants were interviewed as part of this research. All participants voluntarily
participated. Participant’s details are provided in the table below.

50
 Table 3 Participants demographics

Experience
Participants Age Position (Years)
Participant 1  41  Administrator (End user)  10
Participant 2  55  Administrator (SAP Administrator)  15
Participant 3  57  Internal Consultant (SAP Manager)  16
Participant 4  53  Internal Consultant (Business Analyst)  20
Participant 5  39  External Consultant(GRC Office)  8
Participant 6 61 External Consultant ( GRC Consultant 18

All participants have more than 5 years’ experience in their respective fields of which three have
direct experience working with GRC within the case study company. Four where part of the
implementation when the GRC project started. Two participants have worked on a GRC project
in other companies previously. Five participants were interviewed in person while the other was
interviewed telephonically as he is based externally on a client site.

Participants signed the informed consent before the interview. Confidentiality was discussed and
it was confirmed that data will be treated with confidentiality. Participants were invited to ask any
questions before beginning the interviews. In the course of the interviews, follow up questions
were asked and prompted for clarifications. At the end, participants where requested to
recommend the next person to be interviewed based on their experience.

Below are four research questions which guided this study and the interviews of participants:

5.3 Research Questions Re-visited

Taking into account the categories of resistance identified above, we now turn to the participant
data gathered in the course of the case study. The following research questions guided the
inquiries pursued with each participant in the study.
Primary question:
- What are the perceived barriers among stakeholder’s to full GRC implementation?

51
Secondary questions:
- What is the awareness and understanding of GRC among stakeholders?
- How are stakeholders involved in GRC activity
- What do stakeholders see as the threats to GRC implementation in an IT organisation?

Research Results
Seven different perceived threats or barriers to implementation were identified arising out of the
interviews with participants and analysis of the data in relation to their responses::
1. Involvement: Some participants mentioned their lack of involvement so they did not
believe they could provide useful insights or assist.
2. Resources: Participants working on GRC confirmed that they are short staffed, making it
difficult to implement GRC successfully and quickly
3. Business/Management Support: some participants reported a lack of activities that
represents the support from senior management towards GRC solution.
4. Ownership: Participants identified that business managers consider GRC to be merely
an IT tool hence they do not take ownership whereas IT teams set it as a business tool
5. Complexity: GRC is believed to be a big challenge and expensive, requiring a specific
approach and skilled resources
6. Project Approach: GRC often lacks proper project planning if it is being done to address
auditors reports without a proper plan to fully embark on the implementation and engage
all stakeholders
7. Understanding: There is a conflict between how GRC is understood to be and what its
real capabilities are.

52
 Table 4. Identified themes per participants

Participant Participant Participant Participant Participant Participant

Themes 1 2 3 4 5 6
1.Involvement Low Low Medium High High High

2.Resources High High Low Medium Medium Medium

3.Business Support Medium Medium High High High Low

4.Ownership Medium Mild High High High Low

5.Complexity High Low High Medium Medium Low

6.Project Approach High High High High High High

7.Understanding High High High High High High

Low – Less agreement on the issue

Medium – Not convinced
High – Strongly feel about the issue

Below research questions were addressed by above themes that were derived from data
collected. The data was collected from interviews and observation. Answers for each research
question are summarized below:

What is the awareness and understanding of GRC among stakeholders?

Threats 1, 3, 4 and 7 reflect participants’ responses to this first question
 It was found that even stakeholders that are working on GRC showed a minimal
understanding of what GRC is all about. It is difficult for them to try improve their
knowledge of GRC as a results they are dependent on the information from external
consultants
 Stakeholders that have GRC knowledge are not willing to share for free as they might lose
power or their position within the company.
 They may have to charge internal cost center in order to assist with implementation.
 Other stakeholders are not involved in GRC project.

53
  They are either intentionally excluded to deny them knowledge ao decided not to further
get involved.
 Without the knowledge of this solution, most stakeholders find it difficult to take ownership
of GRC activities.

How are stakeholders involved in GRC activity?

Threats 1, 2 and 3 answers the first question
 It was noted that there was no proper project approach when implementing GRC solution,
which results in no footprint, documents, trainings that are necessary to carry the
implementation forward and ensure that stakeholders are at ease when working with
GRC.
 There seems to be a mixed feeling as to the benefits of GRC solution. Due to lack of
dedicated resources that know how. The company is dependent on external consultant to
assist when they are available, in the meantime there seems to be no activities related to
GRC.
 These external stakeholders have different ways of working, different methodologies and
techniques. This makes it difficult to work on each other’s project and requiring proper
communication with each other however there is no communication nor do documents to
assist them carry on properly implementing GRC.
 The business stakeholders are not involved. An IT stakeholder says they don’t want to get
involved which leaves the responsibilities with IT department. However IT stakeholders
seem to have given up towards convincing the business to start working on GRC. This is
because IT stakeholders are also not regularly using GRC solution which makes it easier
to just not do anything towards improving GRC effectiveness

What do stakeholders see as the threats to GRC implementation in an IT organisation?

Threats 4, 5, 6 and 7 answer this question
 Stakeholders that are in management level perceive GRC solution as relevant to have it
properly working, however currently these solution is currently been used when the
company is about to be audited.

54
  Operational stakeholders view it as a complex, expensive solution to practice that is
difficult to comprehend and properly implement. And based on their current experience
some stakeholders don’t see the importance as they are managing to do without it
whereas others completely support it and say it’s a must have future solution.
As indicated on below figure 13, all these questions assist the researcher to answer the main
question: What are the perceived barriers among stakeholder’s to full GRC implementation?

What is the
awsareness and
understanding of GRC
among stakeholders?

What do stakeholders
How are stakeholders
see as the threats to
involved in GRC
GRC implementation
activity?
in an IT organisation?

What are the

perceived
barriers among
stakeholder’s to
full GRC
implementation?

Figure 13: Research questions

Although IT stakeholders are expected to stay updated with the new technologies. There have
been enough resistance to change to GRC solution, of which most of these resistance where
noted and classified in themes.

These perceived threats lead to a range of resistance behaviours which will be discussed.

55
Resistance Theory was discussed in Chapter 2. It was noted that there were 5 categories of
resistance under which resistance behaviours occurred in preventing GRC being implemented.
These resistance behaviours can be understood in terms of the 5 categories of resistance
identified in accordance with the generic model described in Chapter 2.

Table 5
Resistance Category Threat Resistance Behaviour
Avoidance Resources Inaction
Complexity Use in-house or alternative
options; too expensive
Lack of Understanding Inaction, inadequate
knowledge to act
Adoption Resources Delay, delay tactics,
Project Approach No plans, external consultant
Lack of Ownership Uncertainty, hesitation
Lack of Understanding Lack of interest
Communication Involvement Non-participation, exclusion
Management support Disempowered to act,
uncertainty
Politics Involvement Territoriality, no shared
information
Resources Favoritism, misallocation,
inaction
Lack of Ownership No power to act, excluded
Culture Resources Non-compliance, misallocation
Management Support No prioritisation
Lack of Ownership Buck-passing

56
Above findings are represent in a diagram below
Figure 12 Identified findings

Involvement Avoidance
Resources Adoption/Deferal
Business Support Communication
People Resistance
Ownership Politics
Complexity Culture
Project Approach
Understanding

It is now proposed to discuss these key threats in more detail below.

5.4 Findings Discussion

5.4.1 Lack of Involvement
Three participants are directly working on GRC projects. Participant 3 is partially involved, stating
that he only gets pulled into a project now and then when his expertise is needed. He doesn’t
understand, however he never worries about it as he’s engaged with his day to day work. Two
participants are minimally involved. Participant 1 noted that her knowledge is limited and she
does not play a role in it but that it is a shame because she thinks she should be involved. She
has discussed with the managers and she hopes things will change in the near future.
Participants additionally mentioned that the involvement in GRC is with the consultants and IT
Managers, of which they understand that they are qualified to be working on the solution.
Participant 2 mentioned that he doesn’t really see himself being involved on anything related to
GRC. He stated, “I don’t think they will give me a role to do” although he would like to play a role
but doesn’t think he be given the chance. Participants 4, 5 and 6 stated that they are
overwhelmed with work which prevents them from adequately focusing on GRC to the extent
required. “I have lots of work which requires me to work at home sometimes after work”
Participant 5 stated. This may be because of the shortage of staff.

57
5.4.2 Limited Resources
The second threat that was found in the study related to shortage of staffs. Participants
mentioned the lack of resources in the case study company’s GRC. Participant 1 claimed “I just
don’t think consultants are regularly available. This is a very specialised field which requires
people with certain qualification”. Meaning that such specialised project like GRC demands
resources to be dedicated to it and available for any issue. Participant 4 added saying every time
he tries and work on GRC, his work remains behind and there is no one covering for him and
GRC takes him time as he has limited knowledge which begs him to conduct lots of research.
Participant 3 stated “If there are guys and systems doing what GRC can almost do, why should
the company invest resources on GRC which is money and expensive” He further claimed that
the bottom line is that GRC cost money and he wouldn’t want to make an argument for it.
Participants 5 says the current resources used on GRC project are not dedicated to it. They are
borrowed from their day to day responsibilities.

Participant 4 says at some stage the company lost dedicated GRC resources and they never
replaced them. Participants 6 emphasises the importance of a budget when acquiring resources.
She says the company would rather cut down and use the already available resources than
spend money hiring new GRC resources. This begs the question as to whether management
supports GRC solution.

5.4.3 Insufficient Management/Business Support

The third threat identified from the data was business support which will be discussed below with
its sub-theme of Ownership.

Participants where asked how the company recognises GRC and their view around it. Most
participants were very keen to express their views on this issue. Participant 1 noted “I don’t think
its necessity or priority for them, they look less interested” and she continued saying it’s a shame
because it’s such a powerful tool. Participant 2 reaffirmed saying “I don’t think they are
interested and there seems not to be any sort of pressure from anyone to focus on GRC.
Participant 6 went on to state that the only time that he hears of GRC is when the company is

58
about to be audited, otherwise there are no activities that reflect GRC’s existence throughout.
It’s like GRC is in the background or non-existing until auditing period. That’s when everyone
starts working together panicking to ensure that GRC is working okay.

5.4.4 Lack of Ownership

Participant 3 claimed that while his IT team is only responsible for administering the data for the
business, the business must take ownership of GRC. He believed that unfortunately the
business thinks it is only an IT responsibility. On a contrary Participant 1 and 2 believe the
ownership of GRC does or should belong to IT. Participant 4 pointed out that there are no clear
project owners to take charge, however those who are willing to accept the responsibility do not
take proper ownership because they do not understand what it means let alone its activities,
given that GRC is new.

A participant 5 says “Managers are not going to accept it because they do not want it and there
are no signs of promoting it. They just want people to sit and do their work, not nitty gritty stuff”
She believes they don’t want to take responsibility and would rather put the responsibility on
others. However she thinks IT understands the importance of GRC and is not doing well in
selling GRC to them. However this might be because of the complexity of this solution.

5.4.5 High Complexity

The fifth threat that surfaced was complexity. Participant 1 noted that GRC is not common
knowledge and that it is a highly specialised field. “Even if one asks some colleagues around
here they wouldn’t know what GRC is all about, however the company paid whole lot of money
for it”, she said. Participant 5 admitted that he would have preferred to see a team of skilled
consultant working on this implementation however he claimed there is no budget to hire skilled
GRC consultants as they are very expensive because it is a complex solution. Participant 3 says
currently they don’t see how an investment in GRC returns the value to them. He believes the
company should have not invested in it from the beginning if they are not prepared to go all out
in order to make it work. Participant 4 noted GRC is very new and with the changes that come
after the first implementation, it makes it very difficult for the company to follow up and keep on
implementing improvements, hence there is a current problem with a proper implementation or
59
usage. And whenever new functionalities are available this needs to be updated and ensure that
changes are documented. However it’s difficult if there is no proper project approach.

5.4.6 Lack of Proper Project Approach

This theme is tightly coupled to lack of common understanding. Participant 5 mentioned that
after joining the GRC team, there were no substantial documents to direct on how the project
was to be undertaken. She found she had to ask people who have been involved from the
beginning of implementation in order to gain most of the information needed about the project.
Participants 6 mentioned that the documents that are available have not been maintained. Also,
the training documents available were from a previous client’s implementation project so not
directly relevant to the case study business itself. It was observed that there was no central place
to share GRC documents in order to help everyone to understand what GRC is all about.
Participant 4 mentioned that no one seems to know what they are doing with GRC. Everyone
seems to be confused. They have no plans, and whatever approach that is being used is not
working. Now and then external consultant are brought up to clarify things but after that
everything just start falling apart and no follow ups on maintaining and improving this solution.
Because of different consultant with different views this creates more confusion to GRC
understanding.

5.4.7 Lack of Understanding

The fifth theme noted how the participants understand GRC. They were asked what GRC means
to them and their perception of people’s understanding of the definition of GRC. Participant 1
described GRC to be a structure governance tool mainly used for reporting and she mentioned
that it also had a link to authorisations in the SAP system. She also mentioned that they are
doing it because it is a new technology. Participant 3 thought GRC was being promoted as a
“must-have tool” that every company is implementing. Participant 2 didn’t understand it well and
he does not think others understand GRC because it is not completely working. Participant 4
understood it to be an auditor’s tool because he only hears about it when the company is about
to be audited. Participant 5 described it as a tool that is not working properly but a potentially

60
useful tool to deploy going forward. He lamented the approach used which resulted in
inadequate management not being included in project initiation from the start.
All participants seem to see it as an auditor’s tool or an authorisation tool and focused on the
technical side of how they see it working within the company, but that there are already other
programs that do what GRC can do.

The responses of the participants show that GRC solution is underutilized, largely because of the
issues discussed above.

5.5 Summary
GRC is new and appealing for many people; however while some feel they are eager to be
involved and assist in GRC developments, they have limited capacity or authority, possibly
political reasons. They are compelled to focus in their respective specific discipline areas. In
some cases, GRC resources that left the company were not replaced. This has become a
widespread business trend where resources leave the company and the work is shared among
those who remain. Most participants when they were asked what GRC means to them, have
uncertain or confused impressions based on their experience. Most focused on examples of
technical issues and impediments rather than the people-centered definition associated with
systemic or cultural improvement.

This chapter showed the results that were collected during an interview of 6 participants.
Findings were grouped in themes and discussed in order to evaluate why GRC is not fully
utilised. Participant’s responses showed that GRC utilisation can be improved if certain aspects
are taken into consideration. These aspects include resources, business support, ownership,
complexity and understanding

61
 CHAPTER 6

CONCLUSIONS AND RECOMMENDATIONS

6.1 Introduction

Chapter 5 presented the findings of this study. This chapter interprets the results of those
findings of participant interviews. The results are grouped according to each resistance
categories discussed in chapter 2 and recommendations are provided thereafter.

The table below shows how results found are related to the themes identified in the literature
review chapter 2 and Theoretical framework chapter 3.
This research focused on highlighting the key constraints preventing GRC from being fully
utilised. Based on a series of interviews, seven recurrent constraints were identified from the
participants.

Armed with this knowledge, a GRC implementation team will need to develop a project plan that
incorporate a strategy to address people centered factors for successful implementation. It is
recommended that the project plan apply the following framework:
 What are the drivers affecting engagement?
 Where are we now?
 Where do we want to be?
 How do we get there?
 What needs to be done?
 Did we get there?
 How do we keep the momentum going?

To address these people centered affecting successful GRC implementation all five aspects of
stakeholder resistance must be investigated, understood and responded to as part of the GRC
team project roll-out. These aspects are now discussed as the five pillars of effective
implementation.

62
6.2 Five Resistance Categories related to Implementation

After analysing this case study and the literature on Resistance Theory, it can be argued that a
company needs to work on 5 key areas of resistance that will affect GRC utilization. The 5 areas
are:

1. Avoidance
2. Adoption/Deferral
3. Communication
4. Politics
5. GRC Culture

6.2.1 Avoidance
Avoidance is one form of resistance identified in the study and is one of the main issues.
Feedback from this study found avoidance to be related to three issues identified, namely,
resources, complexity and understanding. Effort to reduce resistance will reduce complexity and
improve GRC understanding.

Most participants emphasise that they see GRC applying primarily to support auditing reports.
Participant 5 especially pointed to in-house program he helped build to develop a report to meet
auditors’ reporting requirements. These reports focused on how the business wants to address
auditors’ needs could be hampering the flexibility to swiftly change to new GRC technology.
However the reports will still be unable to address further auditors findings. Participant 1 noted
that the SAP system is secured without GRC and it does slow the production as it increases the
processes and creates more work for the support team.

As discussed in Chapter 2, it is common that people take a passive resistance approach through
delaying tactics, lack of interest and making excuses for not implementing GRC. Especially
participants 3 strongly emphasize that there is no budget but there was no substantial proof or
showing that budget is the constraint.

63
Delaying Tactics – Using consultants who are not dedicated to GRC project but working full
time on other projects will cause delays, while some consultants are not professionally
competent in GRC as they are primarily focused on another area of specialization.
Excuses - All participants seem to be hiding behind the fact that there is no budget to get GRC
project functioning. However, adequate budgets and resources can make a difference.
Lack of interest – at least one participant claimed he didn’t know why GRC had not matured in
the business and seemed to lack interest on the basis that he is not a decision maker.
Resources - There are no enough dedicated resources for GRC. Participant 6 mentioned one
GRC dedicated resource that left the company but was never replaced. This element is also
critical to adoption as discussed below.

Recommendations
When looking at the age group of people working on a GRC in this case study, it was found that
most of them are nearing retirement age, hence they were more inclined to continue using old in-
house solutions rather than paying any interest in the benefits of a GRC solution. It is
recommended that the company develop a proper succession planning to ensure the up and
coming younger people who are likely to appreciate new latest technology learn about the
required systems from more experienced stakeholders.

It is found that when stakeholders understand the solution and have been part of the solution
from the start, they are likely to support it and see the positive benefits of it. So it is
recommended that the company implement formal annual GRC roadshows to convey the
benefits of GRC and its effective implementation. This will include sharing latest developments
and highlighting the positive examples of which have been provided by GRC.
It is also recommended that the company address all internal issues associated with GRC and
draw a roadmap as to where GRC solution is going. This can be best achieved by establishing a
dedicated team to support the introduction and maintenance of GRC.

Markus (1983) provides some guidelines to avoid resistance:

 Involving users at a design phase
 Gaining top management’s support

64
  Ensure the system is user friendly.
 The system must be able to improve user’s functions
 The benefits must outweigh the cost of the system

The researcher consider these guidelines to be equally applicable to the broader context of GRC
implementation

6.2.2 Adoption/Deferral
Adoption is critical and must be addressed to ensure GRC success. The three main themes that
were found to be related to adoption are resources, ownership and understanding.

In this case study the results reveal that the situation leaned more to a late adoption approach as
discussed in chapter 2. This is supported by the feedback from most participants as they
emphasise that GRC is a new technology which they believe is nice to have for business
improvement but not essential. GRC information is available within the companies’ records but
they are not willing to fully embrace its formal implementation yet. There has been a delay as the
company seems to be waiting for GRC as a management model to mature. The majority of
participants also highlighted the length of time that it is taking for GRC to be fully rolled out. The
cause is unclear; although some participants think it’s a deliberate choice by management.
There is a lack of information regarding GRC. According to Rouse (2003), people are likely not to
adopt a new technology if they don’t understand it and how they will benefit from it.

Recommendation
According to Markus et al. (2000), organisations choose between early or late adoption. They
both have pros and cons as discussed in chapter 2. For instance the studied organisation seems
to have chosen the late adoption approach with their GRC project. By the time they choose to
fully embrace the project it could be too late and more difficult to keep up with competitors
already implementing it. New versions of integrated GRC platforms have been developed but the
company is still holding on to an obsolete suite. Therefore it proved to be difficult and expensive
to catch up.

65
It is recommended that the studied company consider a timely adoption with a magnitude of
commitment to the project which can positively Influence the company’s performance. It is highly
recommended that the company invest more in acquiring the latest GRC product and devote in-
house resources to fully work on the GRC until it eventually matches the progress of its
competitors.

Although “timely adoption” might seem to be a viable option, there still must be a first level of
commitment from all required stakeholders. Since a GRC project is complex and seen as a big
solution, it is also recommended to break down the solution and respectively sell the product to
stakeholders through clearly highlighting the benefits. The following steps can assist in achieving
this:
 Break down GRC project
 Identify different stakeholders (business owners)
 Understand their motives and their objectives
 Analyze their route to achieving those objectives
 Marry the objectives with the GRC benefits
 And get them on board
It is further recommended that GRC be treated like any other project and follow the project
process until it is fully rolled out. In addition, the company must make an effort to understand
what GRC is all about and the benefits that can be extracted from it.

6.2.3 Communication
Lack of communication can negatively affect the company’s performance. Enhanced
communication is critical to ensure company-wide involvement and business support. For
instance, feedback from most participants showed that there was no formal introduction to GRC.
Participants recalled how they first heard of the GRC program. Some participants mentioned that
they only heard of GRC through friends that are working on it. Some mentioned that they heard
about it in the meetings. There were no formal engagement sessions to introduce GRC solution.

Recommendation

66
Communication is paramount to ensure the success of GRC as noted in Chapter 2. Based on
this case study, it is clear that communication continuously needs to be improved. Especially
among the technical GRC experts who are working on different projects and different clients. The
researcher recommends that the company implement a viable communication strategy that
would incorporate the following:
- Organise formal monthly GRC meetings
- Communicate any GRC developments/news of improvements with all stakeholders
- Establish knowledge sharing platforms
- Introduce internal incentives to accelerate knowledge sharing
- give all stakeholders a chance to participate in all GRC workshops

6.2.4 Politics
Politics is associated with involvement, resources and ownerships. GRC leaders must show the
authority towards resource management and ensure that politics is managed properly.
Successful project implementation is directly linked to the ability of project leaders or key
stakeholders to understand the importance of politics and how to channel politics to project
success. Effective leaders know how to use political tactics to further their project goals. For
instance participants mentioned that he would not be allowed to get involved in GRC however he
would like to play a part. When asked further questions on why he thinks he’s not involved he
stated that he would not want get political.

GRC require all resources involved not only skilled resources, however some participants seems
to be having difficulties getting a chance to get involved. The resources that know about GRC
are not willing to share information. They are scared of losing power and jeopardize their
position. When external consultants are invited to assist with the internal GRC, some participants
mentioned that they are not being invited to attend such GRC meetings, even though they
continuously show the interest. This shows that there is a certain group of people that are
deemed to work on GRC and they are not allowing any others to break-in and get involved.

Recommendations

67
The researcher recommends that the studied company tackles their project outside their normal
functional authority. In that way the selected team can be goal oriented less focus on the
organizational politics and maximize communication and resource usage.

The researcher also recommends following steps for the GRC leaders towards successful GRC
implementations:
 Understand and acknowledge the politics within the organization.
 Cultivate suitable political tactics
 Try to provide project managers with some equal footing
 Learn the fine art of influencing stakeholders
 Understand that conflict is a natural side effect of project management
 Clarify expectations regarding stakeholders performance

6.2.5 Corporate Culture

Based on the data, it was found that themes like Involvement, resources and business support
are also related to the issue of Culture.
Most participants highlighted the need for the business to change its mind set regarding GRC.
Currently there is no momentum or any established pattern to grow GRC because stakeholder
knowledge is limited. Participant 6 pointed out that the culture of project prioritising can be
improved: “It’s about who screams the loudest”. IT teams have to respond to what the business
owners demand, however GRC has not been seen as a priority to demand. If the business is not
driving the GRC agenda as a priority then the project is likely to be attended to last. There also
seems to be sense of division among the teams, making it difficult for GRC to succeed when
collaboration is vital.

Recommendations
 Educate business owners and stakeholders about GRC processes and its capabilities so
that they can start recognising its benefits
 Incentivise the stakeholders in order to have them start acting towards a desired culture
 Establish a culture that will match GRC environment.

68
  Encourage all employees to participate in corporate social responsibility in order to
influence desired behaviours

6.3 Overall Recommendation

This study concluded that a substantial cause of failure in GRC implementation is the perception
of GRC and how these perceptions create barriers to effective stakeholder involvement.
It is clear from this study that while strategies, processes and technologies are important
elements of GRC, organisations, in particular IT organisations, must give priority to people
factors if integrated GRC is to be effectively implemented.

It is therefore recommended that in addressing these critical people factors, deliberate action to
manage resistance should have regard to the 5 components of resistance theory which affect
constructive stakeholder involvement in GRC implementation. Specifically, the GRC team must
assess each stakeholder’s perception of GRC to understand which threats and categories of
behavior are risks to implementation.

6.4 Conclusion
The main purpose of the study had been to identify stakeholder’s understandings, perceptions
and behaviours that create barriers to the effective implementation of GRC. It was found that
there are a number of people-factored reasons for the existence of these barriers.

The literature indicates that GRC success is dependent on various key components (processes,
strategy and technology and people) and how each organisation tends to prioritise them. From
this study, it can be confirmed that the ‘people’ component plays as important a role as other
GRC components.

This study has analysed this ‘people factor’ by identifying stakeholders’ perceptions as common
factors that are affecting GRC’s implementation and utilisation. Several key factors were also
identified and discussed. These key factors are Involvement, Resources, Business Support,

69
Ownership, Complexity, Project Approach and Understanding. These factors were shown by the
study to reflect the key categories of Resistence Theory discussed.

Further, most people do not fully understand the role that GRC convergence plays in their
organisations nor the benefits that it can provide. This confusion among stakeholders is passed
through to other staff of the company, resulting in the GRC solution not being fully utilised.
Indeed, firms tend to forget that a GRC solution needs to be considered as a transversal
program across operational, managerial, and corporate support elements of the business.

There is a huge amount of money that organisations spend in buying the latest GRC technology
and ensuring that strategy, systems and process are up to date and effective. However, it must
be noted that the organisation must also be willing to invest in those human resources which
play an equally, if not more, important role. Of course, this expenditure needs to be measured
based on return on investment to ensure the investment is profitable. Moreover, it requires a long
term financial and human investment to ensure that users fully understand their roles
(Rasmussen, 2011).

The study showed that understanding the GRC solution from the stakeholders’ perspective may
help find identify impediments to implementation and, in turn, assist the company to be more
efficient and effective and increase the accountability within the organization.

The researcher hopes the recommendations of this study will enhance the current understanding
of opportunities offered by the GRC solution and these can be achieved by addressing the
issues noted in this study. The ultimate objective is that the companies will be able to understand
GRC through their stakeholder’s eyes and implement the right methods to improve their GRC
activities and processes.

6.5 Further Research

The current research will not be able address all the GRC issues in an IT environment. There
were many other issues identified during data collection and analysis, however the study was not
intended to address all of them. It is appropriate therefore to make recommendation as to further
research opportunities.

70
This study has contributed through stakeholder’s perception of GRC and revealed the main
issues that are affecting the GRC progression. These issues were analyzed and further areas to
be visited were identified as follows:

 The experience of the GRC solution in a different business area and department could be
further explored, as this research focused mainly on the business owners perceptions
based on the experience of GRC stakeholders in an IT environment. Although they are
dependent on information fed from the concerned IT stakeholders, they also play a major
role towards the success of GRC product as they need to be engaged to cultivate the right
attitude supportive of implementation.
 The question of whether there was a strong implementation team with a strong project
leader in order to foster GRC principles was raised. This point to variances and responses
that made the researcher question whether a proper project management process was
followed until the project is handed over. It will be worth further investigation as to whether
a formal project life cycle is being followed during GRC project implementation.

With more and more organisations showing interest and gaining competitive advantage through
GRC, there is still a need for research to explore other GRC components.

6.6 Limitations

This section addresses some of the noted limitations in this mini dissertation.
GRC solution is beneficial to everyone within the company and every stakeholder has a role to
play towards a successful GRC; however this dissertation only focused in the IT stakeholders in
an IT department.

Although the recommendation may be applicable to any IT company, it must be noted that this
study was performed in one IT company in South Africa and may not be generalized.

Because of its limited scope as a mini dissertation, below are some of limitations that were
applicable:
 Time - the time to effectively collect the data; hence critical individuals will be selected to
gather information.

71
  Resources – some critical targeted individuals were not available to participate in the data
collection process; hence the credibility of information might be affected.
 Scope - only individuals who are working in the IT environment were selected to
participate in this study.

REFERENCES

AJZEN, I. & FISHBEIN, M. 1980. Understanding attitudes and predicting social behavior. New
Jersey: Prentice Hall.

ALDRICH, P. & ANDERSON, J. 2014. 8 Keys to a successful GRC program.

72
APPLEGATE, L.M. 1994. Managing in an information age: Transforming the organisation for the
1990s. In: Proceedings of the IFIP WG8.2 Working Conference. Amsterdam: North-Holland
Publishing:15-94.

BLYTHE, B.T. & MACHOLD, J.R. 2011. The Human Side of GRC. S.I.: s.n.

BROADY, D.V. & ROLAND, A.H. 2011. SAP GRC for Dummies. Hoboken: John Wiley & Sons.

BROWN, K.A. & HYER, N.L. 2010. Managing Projects, A Team Based Approach. New York:
McGraw-Hill.

CACCIATTOLO, K. 2014. Defining organizational politics: European Scientific Journal, 10(10),

Aug.: 238-246.

CALDWELL, F. & PROCTOR, P.E. 2009. Continuous Controls Monitoring for Transactions: The
Next Frontier for GRC Automation. Gartner, January.

CAMPOBASSO, F.D. & HOSKING, J.E. 2004. Two factors in project success: a clear process
and a strong team. Journal of Healthcare Management, 49(4), Aug.: 221.

CARR, N.G. 2004. Burned by IT. Industrial engineer, 36(8), May:41-49.

CASTON, M. 2008. How to achieve a successful GRC Implementation. eWeek, Dec. 10:4.

CHANG, H.L. & SHAW, M.J. 2005. A roadmap to adopting Emerging Technology in E-Business:
an empirical study, 8(2), Mar.: 103-130.

COMPLIANCEWEEK. 2006. How do we make a business case for Integrated GRC. United
State of America: OCEG [Online]. Available from:
https://www.complianceweek.com/sites/default/files/documents/53/1206_grc_illustrated_13004.p
df [Accessed: 15/09/2014].

COOLICAN, H. 2014. Research methods and statistics in psychology. 6th ed. New York:
Psychology Press.

73
CORESTREAM. 2013. A culture guide to GRC. [Online] Available from:
http://www.risk.net/operational-risk-and-regulation/advertisement/2300030/sponsored-feature-
corestream [Accessed: 14/10/2014].

CRESWELL, J. W. 2013. Research Design: Qualitative, Quantitative, and Mixed Methods

Approaches. 3rd ed. London: SAGE.

CRISP, M. 2010. Light wave Security Introduces IT-GRC Solution for State, Local Government
[Online]. Available from: http://www.marketwired.com/press-release/lightwave-security-
introduces-it-grc-solution-for-state-local-governments-1193547.htm [Accessed: 02/03/2012].

DAVIS, D. F. 1989. Perceived usefulness, perceived ease of use, and user acceptance of
information technology, MIS Quarterly, 13(3), Sep 3.: 319-340.

DENNINGS, R., CHEN, W. & CARROL, S. 2013. What is GRC: What is its impact on
compliance practices and where GRC is heading? [Online]. Available from:
https://www.claytonutz.com/docs/GRC_paper_what_is_GRC_and_where_is_GRC_heading.pdf
[Accessed: 27/08/2014].

DITTMAR, L. 2007. Demystifying GRC: Business Trends Quarterly, 2(4), 16-18.

DONNELLY, L & TRAN, J. 2009. Access Control 5.3 Implementation Roles and
Responsibilities. In: SAP (Version 2.0).

EPICOR. 2007. Achieving Efficient Governance, Risk and Management (GRC) through process
and automation. White paper [Online]. Available from:
http://www.slideshare.net/Jplanas/achieving-efficient-grc-through-process-and-automation
[Accessed: 10/04/2012].

FARREL, J. & ENGELS, O. 2012. The Convergence Evolution: Global survey into the
integration of governance, risk and compliance [Online]. Available
from:http://www.kpmg.com/ES/es/ActualidadyNovedades/ArticulosyPublicaciones/Documents/
The-Convergence-Evolution.pdf [Accessed: 30/10/2014].

74
FERNANDO, A. 2011. Just what is GRC? Please share your definition. [Discussion Group:]
[Accessed: 14/10/2014].

FRIGO, M.L., & ANDERSON, R.J. 2009. A strategic framework for governance, risk, and
compliance. Strategic Finance, 90(8), Feb.:20-61.

GARTNER. 2011. Gartner Compliance & Risk Management Summit 2008 [Online]. Available
from: http://www.gartner.com/it/summits/risk2/overview.jsp [Accessed: 05/03/2012].

GARVIN, D.A. 2000. Learning in action: A guide to putting the learning organization to work.
Boston: Harvard Business Press.

GILL, S. & PURUSHOTTAM, U. 2008. Integrated GRC-Is your organization ready to move. In:
Governance, Risk and Compliance. SETLabs Briefings, 6(3): 37-46.

HARDY, C. & LEONARD, J. 2011. Governance, risk and compliance (GRC): Conceptual
muddle and technological tangle. Governance. In: 22nd Australasian Conference on Information
Systems on Nov 29, 2011. Sydney.

HARRIES, L. 2011. GRC – burden or opportunity? [Online]. Available from:

http://www.itweb.co.za/index.php?option=com_content&view=article&id=45609:grc--burden-or-
opportunity&catid=69 [Accessed 29/03/2012].

HAYDEN, L. 2009. Designing common control frameworks: A model for evaluating information
technology governance, risk, and compliance control rationalization strategies. In: Information
Security Journal: A Global Perspective, 18(6), Dec.: 297-305.

HUMPHRIES, F. 2014. GRC buy-in needs right mindset [Online] Available from:
http://www.itweb.co.za/index.php?option=com_content&view=article&id=70488:GRC-buy-in-
needs-right-mindset&catid=69 [Accessed 16/10/2014].

INVESTOPEDIA. 2014. Governance, Risk Management and Compliance – GRC [Online].

Available from: http://www.investopedia.com/terms/g/grc.asp [Accessed: 15/09/2014].

75
IVES, M. 2005. Identifying the contextual elements of project management within organisations
and their impact on project success. Project Management Journal , 36(1), Mar:37-51.

JAN, W. 2010. Effective GRC Management: Positioning Your Company for Growth, Aberdeen
Group.

JOHNSON, T.P. 2005. Snowball Sampling. Encyclopedia of Biostatistics.

KARK, K. 2008. IT GRC: Combining disciplines for better enterprise security. Forrester
Research [Online]. Available from: http://searchsecurity.techtarget.com/tip/IT-GRC-Combining-
disciplines-for-better-enterprise-security [Accessed: 02/03/2012].

KELLY, S. 2009. The ABCs of GRC. Treasury and risk magazine [Online]. Available from:
http://www.treasuryandrisk.com/2009/06/01/the-abcs-of-grc [Accessed: 07/03/2014].

KERSEY, D.M. 1999. Understanding clients. Consulting to Management, 10(4), Nov:34.

KIM, H.W. & KANKANHALLI, A. 2009. Investigating User Resistance to Information System
Implementation: A status quo Bias Perspective, MIS Quarterly, 33(3), Sep.: 567-582.

KLAUS, T. & BLANTON, E. J. 2010. User resistance determinants and the psychological
contract in enterprise system implementations. European Journal of Information Systems, 19(6),
Jul. 7: 625-636.

KONTOGHIORGHES, C. 2005. Key organizational and HR factors for rapid technology

assimilation. Organization Development Journal, 23(1),: 26.

LANGLEY, P. & CUBITT, A. 1987. Doing Social Research. Causeway books.

LAPOINTE, L. & RIVARD, S. 2005. A Multilevel Model of Resistance to Information Technology

Implementations, MIS Quarterly, 29(3), Sep.: 461-491.

MARKUS, M.L. 1983. Power, Politics and MIS Implementation: communications of the ACM,
26(6), Jun.: 430-444.

76
MARKUS, M.L., AXLINE, S., PETRIE, D. & TANIS, C. 2000. Learning from adopters:
experiences with ERP: Problems encountered and success achieved. In: Journal of Information
Technology (2000) 15, 245-265.

MCCLEAN, C. 2009. The basic of enterprise GRC Project Management [Online]. Available
from: http://searchsecurity.techtarget.com/tip/The-basics-of-enterprise-GRC-project-
management [Accessed 29/09/2014].

MENZIES, C., MARTIN, A., KOCH, M. & TREBUTH, C. 2007. Governance, Risk Management
and Compliance: Sustainability and Integration supported by Technology, Germany:
PricewaterhouseCoopers AG.

MINTZBERG, H. 1983. Power in and around organizations, vol. 142. Englewood Cliffs, N.J.:
Prentice Hall.

MITCHELL, S.L. 2007. GRC360: A framework to help organisations drive principled

performance, International Journal of Disclosure and Governance, 4(4), Aug.: 279-296.

NICHOLAS, J.M. 1989. Successful project management: a force-field analysis. Journal of

Systems Management, 40(1), Jan:24.

NISSEN, V. & MAREKFIA, W. 2013. Towards a Research Agenda for Strategic Governance,
Risk and Compliance (GRC) Management. In Business Informatics (CBI), 2013 IEEE 15th
Conference on July 15-18, 2013, Vienna, IEEE.

OLANREWAJU, A.I., AYODELE, E.A., ABUBAKAR, U. & ALIYU, M.B. 2011. Application of
Information Technology to Library Services at the Federal University of Technology. Akure
Library, Ondo State: Nigeria.

PINTO, J. K. 1998. Understanding the role of politics in successful project management.

International Journal of Project Management, 18(2), Nov.: 85-91.

POLITES, G.L. & KARAHANNA, E. 2012. Shacked to status quo: the inhibiting effects of
incumbent system habit, switching costs, and inertia new system acceptance, MIS Quarterly,
36(1), Mar.: 21-42.

77
POOJA, S. 2014. What is GRC?:Corporate GRC Strategies[Online] Available from:
http://www.academia.edu/4702463/What_is_GRC_Corporate_GRC_Strategies[Accessed
30/09/2014].

PROCTOR, P. 2014. Gartner Resets Approach to GRC [Online]. Available from:

http://blogs.gartner.com/paul-proctor/2014/02/03/gartner-resets-approach-to-grc/ [Accessed:
15/09/2014].

RACZ, N., PANITZ, J, AMBERG, M, WEIPPL, E. & SEUFERT, A. 2010b. Governance, risk &
compliance (GRC) status quo and software use: Results from a survey among large enterprises.
In Proceedings of the 21st Australasian Conference on Information Systems (ACIS), Dec 1-3,
2010, Brisbane.

RACZ, N., WEIPPL, E. & SEUFERT, A. 2010a. A frame of Reference for Research of
Integrated Governance, Risk and Compliance (GRC). In: Communications and Multimedia
Security. Springer: Berlin: 106-117.

RACZ, N., WEIPPL, E. & SEUFERT, A. 2010c. A process model for integrated IT governance,
risk, and compliance management. In: Proceedings of the Ninth Baltic DB&IS Conference on
Databases and Information Systems. Riga: Latvia: 155-170

RASMUSSEN, M. 2011. GRC: Solving Real Business Problems, Not just Hypothetical one
[Online]. Available from: http://www.corp-integrity.com/research/grc-solving-real-business-
problems-not-just-hypothetical-ones [Accessed: 02/04/2012].

RASMUSSEN, M. 2012. Inevitability of Failure: Managing GRC in Silos [Online]. Available

from: http://www.corp-integrity.com/grc-fundamentals/inevitability-of-failure-managing-grc-in-silos
[Accessed: 02/04/2012].

RASMUSSEN, M. 2013. Engaging Employees in the Context of GRC 3.0: Bringing GRC to the
‘Coal-Face’ of Your Organization. GRC2020

ROGERS, E.M. 1962. Diffusion of innovation. 3rd ed. New York: The Free Press.

78
ROSSITER, C. 2007. Top 10 priorities for internal audit in a changing environment. BANK
ACCOUNTING AND FINANCE, 20(5), Aug.:34.

ROUSE, P.D. 2004. Technology adoption: the process, success factors and outcomes in a
manufacturing environment. St. Ambrose University. vol 29.

SAP. 2009. An Integrated Approach to Managing Governance, Risk and Compliance. Drive
Business Performance and Stakeholder Confidence. Internal document.

SHAHIM, A. BATENBURG, R. & VERMUNT, G. 2012. Governance, Risk and Compliance: A

Strategic Alignment Perspective Applied to Two Case Studies. Springer Berlin Heidelberg.

SHILI, S. 2008. Organizational Culture and its Theme. International Journal of Business and
Management, 3(12), Dec.

SMITH, A. 2010. Governance, Risk and Compliance functions moving greater convergence
[Online]. Available from:
http://www.kpmg.com/za/en/issuesandinsights/articlespublications/advisory-publications/
pages/moving-toward-greater-convergence.aspx [Accessed 29/03/2012].

SMITH, E. 2003. Leading edge decisions. The Computer Bulletin, 45(5), Sep: 18-19.

SMITH, J. K. & HESHUSIUS, L. 1986. Closing down the conversation: The end of the
quantitative–qualitative debate among educational inquires, Educational Researcher, 15(1),
Mar.: 4-12.

SOMERS, T.M., & NELSON, K. 2001. The impact of critical success factors across the stages
of Enterprise Resource Planning implementations. In: System Sciences, 2001. Proceedings of
the 34th Annual Hawaii International Conference on, Jan 6-6, 2001, USA, IEEE.

SPANAKI, K. & PAPAZAFEIROPOULOU, A. 2013. Analysing the Governance, Risk And

Compliance (Grc) Implementation process: primary insights. In: Proceedings of the 21st
European Conference on Information Systems.

79
STARLING, G. 1993. Project management as a language game. Industrial Management & Data
Systems, 93(9), :10-18.

STEINBERG, R.M. 2011. What is GRC, and Why Does It Matter?, in Governance, Risk
Management, and Compliance: It Can't Happen to Us - Avoiding Corporate Disaster While
Driving Success. Hoboken: John Wiley & Sons.

STEPHANE, L. 2014. OCEG Survey Shows High Interest in GRC Architecture, Enterprise
Architecture (EA) [Online]. Available from: http://www.oceg.org/theme/grc-technology/oceg-
survey-ea-grc-enterprise-architecture/ [Accessed: 29/09/2014].

TARANTINO, A. 2008. Governance, risk, and compliance handbook: technology, finance,

environmental, and international guidance and best practices. Hoboken: John Wiley & Sons.

THIRUVADINATHAN, A. 2014. GRC Triangle [Online]. Available from:

http://www.linkedin.com/pulse/article/20140823055702-14340454-the-grc-triangle?trk=mp-
reader-card [Accessed: 23/09/2014].

TIAZKUN, S. & BOROVICK, L. 2007. Governance, Risk and Compliance. white paper (P.1).

TUSHMAN, M.L. 1978. Technical communication in R & D laboratories: The impact of project
work characteristics. Academy of Management Journal, 21(4), Dec:624-645.

VICENTE, P. & SILVA, D.M.M. 2011. A Business Viewpoint for integrated IT Governance, Risk
and Compliance. Washington, DC: IEEE: 422-428.

WIESCHE, M., SCHERMANN, M. & KRCMAR, H. 2011. Exploring the contribution of

Information Technology to Governance, Risk Management, and Compliance (GRC) initiatives.
In: ECIS 2011 Proceedings.

YIN, R.K. 2002. Case Study Research: Design and Methods (Applied Social Research
Methods). 3rd ed. London: SAGE.

ZHANG, Y. & WILDMUTH, B.M. 2006. Unstructured interviews.

80
ZORN, T. 2008. Designing and conducting Semi-Structured interviews for research. Waikato:
Management School, Waikato.

81
APPENDIX A: RESEARCH INTERVIEW GUIDE (Question themes)

82
Category Questions per category
Communication 1. What is your opinion of what GRC is, in business
terms?
 Please describe your desired idealistic GRC
environment?
 How do you see GRC assisting you in your
department?
 How do you see your role in GRC environment?
2. How do you think other stakeholders view of the
GRC?
 Do you exchange/share with others
within/outside of your company about GRC?
 How have you gain your knowledge of GRC?
 How well informed are the stakeholders on GRC
initiative?
3. Were you aware/involved of GRC project from the
beginning?
4. Do you feel integrated with other consultants
working on client side, in terms of centralized
knowledge sharing?

Avoidance 1. Do you perhaps know any other solution that can

do what GRC do but better?
2. Do you find yourself taking long to complete your
job because of GRC processes?
3. Does GRC initiative makes you
dissatisfied/frustrated anyhow?
4. What do you think stands/barriers in a way of
stakeholders towards fully embracing GRC
 What are the main challenges within GRC
environment among stakeholders?
 What do you think are the negative effects result
from lack of integration of GRC activities in your
organization?
5. Who do you think should take ownership of GRC?

Adoption 1. What’s your general feeling around GRC and its

adoption
2. Do you think GRC have enough support from
business, compliance and IT support
(Management)?
3. What elements might influence (positively or
negatively) major stakeholder’s perceptions of the
GRC?
 What do you think are the pros and cons of
GRC?
 What do you think are the stakeholders
activities that deters or support the effectiveness
of GRC initiative
4. What do you think are the drivers/influencing
83
factors of GRC initiative?
5. What are Risk Management and Compliance
activities in your organization?
6. Has your organization implemented technology to
accomplish GRC related activities
APPENDIX B: INFORMED CONSENT FORM

PARTICIPANTS CONSENT

I hereby confirm that I have been adequately informed by the researcher about the nature, conduct,
benefits and risks of the study. I have also received, read and understood the above written information.
I am aware that the results of the study will be anonymously processed into a research report. I
understand that my participation is voluntary and that I may, at any stage, without prejudice, withdraw my
consent and participation in the study. I had sufficient opportunity to ask questions and of my own free
will declare myself prepared to participate in the study.

Research participant’s name: (Please print)

Research participant’s signature:
Date:
Researcher’s name: (Please print)
Researcher’s signature:
Date:
For further information, please contact
Norman
0824594297

84