3 Reasons Why It’s Critical to Consider Relationships When Building Reports

Published October 28, 2020 • 2 min read

When it comes to managing risk and compliance programs, reporting on status and results is a key part of the job. Yet when building reports, organizations often overlook the importance of examining the relationships of the intended audiences. 

In our recent webinar Get the Most From Your GRC Data Reports, Reciprocity’s GRC Expert Alan Gouveia and Product Manager Fan Feng said the reason relationships don’t typically get addressed is that a lot of GRC professionals believe the proof is in the pudding. For instance, if a report shows you’re compliant with SOC 2, you’re done! 

But Gouveia and Feng have some bad news — if you want to create reports that matter,  it’s not that simple. 

Here are three reasons why our GRC pros say it’s critical to keep relationships in mind when building reports.   

1. One-size-fits-all reporting fits no one. 

Each member of your audience will have a different requirement from your reporting. And if you want to keep everyone buying into your GRC program, you’re going to need a way to provide a report that’s tailored to what each person cares about without overloading them with too much information.

For example, your executive team probably doesn’t need a requirement-by-requirement report on how you’re staying compliant. Most likely, they’re going to be more concerned with an aggregate number or a yes/no answer. But stakeholders in a different department within your organization are going to be focused on the things that they’re responsible for maintaining, which means they’ll want a totally different report.

2. Less relevancy leads to less involvement. 

So how do you know what each person or department wants to see? The only way to find out is to ask. You need to be open to hearing about what others want to see and help them identify what will be most valuable to them. Then you can tailor individual reports for each stakeholder.

It’s important to remember that building reports is a trial-and-error process that doesn’t stop once you confirm what others want in that initial report and hand it over. If your reports aren’t valuable to your audience, these key stakeholders are not going to use them…which means they’ll be less involved in your GRC process. Once you start these reporting relationships, it’s critical that you maintain an open and ongoing dialogue about the reporting process. Ask if the reports are useful, and be open to editing your reports to keep them relevant.

3. Taking the easy way out only makes it harder.  

Now, you may be wondering, “Why go to all this trouble?” It’s certainly tempting to just throw in all the information that you have and let your stakeholders sort it out. But be careful with this approach. 

Providing too much information is going to overload your readers and dilute your message. And, in the end, it just makes more work for you. 

To learn more tips on how to create more powerful reporting, watch the full webinar.


Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Get a demo