Global Governance, Risk and

Compliance Benchmarking Report

2018
200+ GRC professionals across the globe
share their insights into how their roles are
changing.

Our software reduces compliance burden associated with regulations and

standards:
An effective management system takes
more than a single software solution or
achieving a certificate for the wall. It
takes time, energy, commitment and
investment.
Qualsys’s software and solutions give
businesses the tools and knowledge they
need to effectively plan, monitor and
improve performance.
We’ve worked with worldwide brands
such as Sodexo, BT and Diageo, as well as
hundreds of SMEs, to help them make
good practice natural and invisible.
Founded in 1995, Qualsys Ltd is now one
of the largest privately-owned
governance, risk and compliance
software providers in the UK.
Our software solutions are used every
day in more than 100 countries across
the globe, helping all kinds of businesses
meet a wide range of standards and
regulations.
ur software reduces compliance burden associated with regulations and
standards:
Get in touch
Kate Armitage
+44(0) 114 282 3338
www.qualsys.co.uk Kate.Armitage@qualsys.co.uk

Brands we work with

 Contents
1.0 Welcome 4
An introduction to the GRC report 2018

2.0 Executive summary 6

Key findings and statistics from the survey

3.0 How are GRC professionals spending their 8

time?
The role of GRC in 2018

4.0 What factors are influencing the role? 13

Regulation, technology and industry trends

5.0 What are the key priorities for 2018? 16

Future plans and opportunities

6.0 Methodology 20
How we collected the results

7.0 Next steps 22

Share what you think of the results

3. DOCREF:GGRC03/18
 1. Welcome to the Global
Governance, Risk and
Compliance Benchmarking
Report 2018
Welcome to the 2018 Global
Governance, Risk and Compliance
(GRC) Report, collected by
Qualsys to understand how the
role of GRC is changing.
In February 2018, Qualsys Ltd
distributed the annual
benchmarking survey, asking GRC
Kate Armitage professionals about their day-to-
Product Quality Assurance
day roles.
Manager
Kate.Armitage@qualsys.co.uk
The 38 questions in the survey
were grouped into four broad
categories: GRC skills & areas of
focus, key roles and activities,
technology and systems, and
organisational culture.
The 202 responses we received
from many different industries
have provided important insights
into how the role is changing.
We’ve used the survey results to
answer three questions:
1) How are GRC professionals
spending their time?
2) What factors are influencing
the role of GRC?
3) What are the key priorities for
2018?
We hope that you'll find the report
insightful and useful in your daily
role.
 2. Executive summary
Key findings from the global governance, risk
and compliance survey 2018

More leadership teams are engaged with quality and

compliance than ever, thanks to changes in Annex SL which
require top management commitment.
The biggest challenge for many GRC professionals now is
engaging the rest of the organisation, promoting a culture of
ownership and operational excellence.
But this is going to be hard. Many are still feeling under-
resourced, overstretched and undervalued. 60 percent of GRC
professionals say they are missing the essential tools they need
to make real improvement and this is resulting in highly-skilled
experts spending significant amounts of time completing
manual data processing tasks.
2018 will no doubt be an interesting, busy year for GRC. There is
the General Data Protection Regulation, increasing pressure to
manage corporate sustainability, ISO 9001 transition deadline,
and many other new risks and opportunities to be managed.
Efficient processes and robust management systems are more
important than ever.

6. DOCREF:GGRC03/18
 Key findings from the report

2.7
extra days per
month are spent
18% 99%
were promoted in don't feel fully ready
the past 12 months for GDPR
reporting than in
2015

25% 60% 31%

have a budget feel they don't have say their business does
adequate resources to not proactively
make real quality manage risk
improvements

24%
have effectively employed
18% 28%
have left a role because implemented an integrated
risk-based thinking they didn't have adequate management software
across the business tools solution in the past 2 years
 3. How do GRC professionals
spend their time in 2018?
The role of GRC in 2018

Wearing many hats

The GRC umbrella covers a broad range of roles and
responsibilities.
Ensuring the business complies with regulations is a
minimum requirement for most GRC professionals. 84
percent said compliance and product conformity is
important for their business. However, only 22 percent
mentioned that this is a main way they spend their time.
Instead, working hours are dedicated to customer
satisfaction
uk
initiatives, reducing waste, monitoring
environmental factors, managing CAPAs, reporting, and
much more.
Despite having so many responsibilities, 60 percent say
they already feel they don't have the resources they need to
make real quality improvement - an increase of 12 percent
over the past year. Many attribute this to not having the
tools they need to implement the necessary changes, with
only 25 percent saying that they have access to a budget.

Read 'The changing role of quality & compliance,' John Oakland

8. DOCREF:GGRC03/18
 How do you spend your time?

Percent

Most GRC professionals are using ISO frameworks

Over 80 percent said implementing and transitioning to ISO
standards was a key part of their role. As well as ISO 9001,
many reported industry-specific standards such as ISO 17025,
IATF 16949, and ISO 15189.

Auditing a missed opportunity?

Although 82 percent said being ready for external audits is
important for their business, only one in three said that internal
auditing is a routine part of their role. Even fewer mentioned
that supplier auditing was part of their role, with around 20
percent mentioning that they undertook routine supplier
audits.

9. DOCREF:GGRC03/18
 42 percent spend 5+ days compiling reports
A large majority of working time is spent compiling reports. 95
percent of GRC professionals mentioned that they spent their
time collating data for reports and sending them to employees
across the business.
On average, GRC professionals are spending 2.7 extra days per
month reporting than in 2015. 42 percent say they spend five or
more days a month compiling reports.
Tom Hodgson, Business Development Manager at Qualsys says
the results are inconclusive: "These results could suggest two
things. Either GRC professionals are spending increasing
amounts of time chasing departments to get the data they
need or they have better access to data and they are using it to
influence strategic business decisions."

10. DOCREF:GGRC03/18
 75 percent say having measurable performance indicators is
important for their organisation
Instant Key Performance Indicator (KPI) Dashboards have
become more important, with 70 percent now agreeing that
they are an integral aspect of the organisation's quality
management system, an increase of 10 percent since 2015.

"We use an internal Quality Index to measure

key performance indicators, such as quality
knowledge, improvement, non-conformities,
customer satisfaction."
- Survey respondent

Read tips for choosing your KPIs here

11. DOCREF:GGRC03/18
 Improving the management systems
33 percent rated the maturity of their management system as
high. This is the second year in a row this has dropped,
suggesting the struggles governance, risk and compliance
professionals are having to get the tools and resources they
need is impacting their strategic objectives.
It fits that 70 percent of those who had implemented an
electronic management system in the past two years rated the
maturity of their system as "high".

Read Operational Excellence vs Quality Improvement

12. DOCREF:GGRC03/18
 4. What factors are
influencing the role of GRC?
Industry trends and changes

Leadership engaged with quality- thank you ISO

In 2017, a staggering 67 percent of GRC professionals said they
felt leadership are not engaged with quality. Over the past year
there has been a significant improvement, with 40 percent
saying leadership were not engaged.
Many directly attributed this to changes in ISO 9001:2015 which
has put pressure on leadership to demonstrate commitment to
the quality management system. In fact, 70 percent agree that
changes to ISO 9001:2015 have made their business better.

Organisational culture & engagement

Engagement challenges are higher than ever, as individuals
continue to relinquish responsibility and push quality issues
back to the department.

13. DOCREF:GGRC03/18
 Information security management still a weakness for many
4 percent more GRC professionals are now managing the ISO
27001 certification compared to last year, and 8 percent plan to
achieve the information security management standard in the
next 3 years.
Robert Oakley, Commercial Director at Qualsys, was surprised
that information security and data management was not at the
top
. of the list.

“With the GDPR coming into force in May, I’m surprised data
protection isn’t at the top of every GRC professional’s list. GDPR
fines can be up to €20 million or 4 percent of annual global
turnover - it's a huge risk. It's too important to leave solely to
your CIO or marketing team. The GDPR requires the expertise of
GRC professionals and their structured process approach.”
In fact, only 1.64 percent report feeling fully prepared for the
GDPR; 18 percent feel well prepared; 40 percent feel somewhat
prepared; 23 percent feel inadequately prepared and 18
percent feel not at all prepared.

Need to get ready for the GDPR? Join this workshop

14. DOCREF:GGRC03/18
 2018 focus on sustainability
Despite a lack of focus on the General Data Protection
Regulation, GRC professionals are spending more time
focusing on sustainability. 12 percent reported focusing on all
aspects of “the triple bottom line” - where they are balancing
the needs of their people, profit and planet.
32 percent now report managing the environmental
management system and more than ever are planning
certification to ISO 14001.

uk

The 'Triple Bottom Line' focuses on People, Planet

and Profit for sustainability.

15. DOCREF: GGRCS03/18

 5. What are the key
priorities for 2018?
Future plans and opportunities

Eighty-five percent of respondents said that technology is

important or very important in delivering quality to their
business. This is consistent with previous reports from 2017,
2016, and 2015 (84 percent, 90 percent and 88
percent respectively), suggesting that governance, risk and
compliance professionals recognise the need to digitise their
activities to achieve continuous improvement.
However, 81 percent of respondents said their organisation
was not effective or only slightly effective at using technology.
The disconnect between the importance of technology
against the tools available is related to the problems GRC
professionals have engaging the wider organisation with the
software and their ability to get the resources to effectively
manage change.

"New technologies, such as Big Data,

blockchain, and the IoT will have a significant
impact on my role. GRC professionals across
the industry must be one step ahead."
- Survey respondent comment

16. DOCREF: VAL02/18

 Still missing the technology
60 percent say they already feel like they don't have the
resources they need to make real quality improvement - an
increase of 12 percent over the past year. Many attribute this
to not having the tools they need to implement the necessary
changes, with only 25 percent saying that they have access to
a budget.

17. DOCREF: VAL02/18

 Lessons learned in the past year

"Never be sloppy "The value of electronic resources.

when trying to find An effectively managed QMS to
a root cause." drive continual performance"
"How to encourage suppliers to be more open."

"No training = No goals achieved. 1. We need to

teach systems thinking. 2. We need to train people
on Process Approach. 3. We need to learn Culture
of Quality"
"Continually renew the company vision, mission,
objectives, strategy, action plans."
"Focus. Make it
simple and
different." "Value of "How important
leadership is and the
auditing importance of
empowering everyone to
remote sites." own quality."

"Do not work for "Check, check, and then check again."
companies who do "Emphasising
not believe in
quality." importance of an
integrated QMS to all
"Coping with negativity." employees and having
all employees actively
using the QMS."
Plans for 2018
"Extending the scope of the
quality management system."
"The value of electronic resources. An
effectively managed QMS to drive
continual performance"
"IT improvements and integrations."
"I'll be rolling out our EQMS software
across new territories."
"First, GDPR. Then ISO 45001."
"Implementation of 5S, and then
preparing to implement level 4 of
CMMI DEV, as well as achieving ISO
9001: 2015 certification."
"Environmental profiles for our product
range, and developing our EQMS."

"Consolidating a global management

system."
"Implementing ISO 9001 as a business
management system."
"Implementing a comprehensive
balanced scorecard."

"Ensuring all elements of ISO15189 are

met for the laboratories."
"Implementing a new employee
onboarding process, establishing a
weekly quality circle, and extending use
of dashboard reporting across the
business."
 6. Methodology
Process for collecting the responses

The 2018 Global Governance, Risk and Compliance Survey

was drafted by Qualsys in January 2018. It was then
distributed to over 14,000 governance, risk and compliance
professionals worldwide in February 2018.
The survey produced 202 respondents. 25 percent held the
title of Quality Manager; 10 percent Compliance Managers, 9
percent Director or Head of Department; 5 percent Process
Manager; 3 percent GRC Managers, and the rest held
consultancy, project manager or specialist roles.
22 percent have held their roles for over ten years; 13 percent
of respondents held their role for 6-10 years; 35 percent held
their role for 2- 5 years; and 30 percent held their role for
under 2 years.
The survey went out to a wide range of industries. Of the
responses, the single largest industry group represented was
manufacturing with 48 percent. Next was life science and oil,
gas and power with 18 percent and 14 percent respectively;
outsourcing at 6 percent, government and aerospace both
at 4 percent; telecommunications at 3 percent; financial and
legal services at 2 percent; media and publishing at 1
percent.

20. DOCREF:GGRC03/18
 The questions remained the same to 2015, 2016, and 2017, with
the addition of some new questions (including "How
prepared do you feel for the General Data Protection
Regulation coming into effect in May 2018?" ) for the direct
comparative data sets and new data.

21. DOCREF:GGRC03/18
 7. What do you think of the
results?
Tweet @QualsysEQMS to
share your thoughts on the
survey findings.

Contact details Talk to us

Aizlewood's Mill, Nursery Questions about
Street, Sheffield, S3 8GG our governance, risk and
compliance software? Talk to
info@qualsys.co.uk a domain expert who
+44 (0) 114 282 3338 will show you how we can
help.