Governance, Risk and Compliance (GRC) has become a key component of IT and business environments in every industry - and these environments are expanding rapidly. With the widespread adoption of cloud-based solutions, many organizations now operate with a hybrid environment that mixes cloud and on-premise technologies. These hybrid environments require an updated and more complex strategy to enable a culture of continuous compliance. 

To achieve an efficient and effective implementation, your GRC program should support an impact-based approach that contextualizes risk within the business and monitors risks across security models. In this post, we’ll take a look at the challenges of migrating to a cloud-based solution, the key components of an enterprise GRC system, and the best practices for maintaining compliance in a hybrid environment.

The Challenges of Cloud-Based Solutions

There are a number of GRC and risk management challenges that organizations face when migrating to cloud-based solutions, including: 

  • Developing and executing an effective GRC strategy
  • Managing risk associated with managed service providers and third-party vendors
  • Monitoring and addressing risk across applications
  • Managing conflicting security models
  • Remediating ongoing segregation of duties (SoD) and sensitive access conflicts between cloud and on-prem solutions
  • Monitoring the use of privileged or elevated access                                                                               

The key to clearing these hurdles is utilizing functions within your enterprise GRC tool to monitor and address risk across solutions.


Key Components of Enterprise GRC

While there are a number of functions within your GRC tool that can help you manage and monitor risk, there are a few key features that are particularly important as you migrate to a cloud solution.

Risk Analysis

By creating, updating, and maintaining rule sets within your GRC tool, your organization can monitor cross-system risks that may arise when transitioning to new applications or solutions. For example, your HR and Payroll teams may be moving to SuccessFactors, while your procurement team has chosen Ariba for managing purchase orders (POs). Meanwhile your Master Data Management (MDM) system is being used for vendor maintenance. Using your GRC tool, you can execute regular, comprehensive risk analyses to monitor core business process activities that have moved to applications outside of your ERP system and identify associated issues. 

Emergency Access

Implementing policies within your GRC tool to manage and monitor business or IT elevated access is critical to how emergency access requests are handled within internal systems and applications. When there is significant changes to the system landscape, workflows within the tool should be updated to approve, grant, and remove access (time-based) for all applications. Then, when emergency access is granted, it can be monitored, reviewed, and approved within your GRC tool to ensure there were not any discernible discrepancies between the intended and actual usage.

Access Request Management

Your enterprise GRC platform can be used to design workflows that manage access requests across applications and automate access entitlements. These workflows ensure preventative risk checks are in place before access is granted to a user, and they can be used to automate provisioning and deprovisioning to additional systems (both on-prem and cloud).


Best Practices

Using your GRC platform, your organization can deploy enterprise-wide user access management, provide streamlined processes for both IT and the business, and eliminate the need to frequently repeat tasks through automation. But the success of your program is reliant on a few critical best practices:

  • Defining Business Risks: Business owners must review and approve SoD and Critical Actions independent of business applications (ex./ vendor maintenance vs. creating and changing purchase orders).
  • Performing a One-time Remediation Activity: Role clean-up and assignment changes should be executed to remove avoidable risks (no matter the underlying applications).
  • Designing Workflows for Automated Security Processes: Provisioning and deprovisioning to all applications (e.g., ERP, on-premise, and cloud) should be automated and compliant.
  • Executing User Access Reviews: Multiple business applications should be covered in one review request.
  • Managing Emergency Access: Superuser or privileged access rights should be approved and resulting activity reviewed for appropriateness in accordance with established emergency access policies.


Every cloud migration has a set of unique risk management challenges an organization must face. While there is no simple panacea for the pain of these transitions, your enterprise GRC system can help make the switch easier. Functions within your GRC tool can help you identify and address critical risks across applications and effectively manage and monitor user access. The key is selecting the right GRC tool and developing the best strategy for utilizing it as you migrate to the cloud. Focal Point specializes in helping organizations develop scalable, tactical strategies for implementing and optimizing their enterprise GRC systems. Talk to one of our experts to learn more about our full suite of GRC services, from technical configuration to ruleset customization and testing. 

Contact Us


Want more risk management insights?

Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.