Inevitability of Failure: Managing GRC in Silos
Success in today’s dynamic business environment requires the organization to integrate, build, and support business process with an enterprise view of governance, risk management, and compliance (GRC). Without an integrated view of risk and compliance, the scattered and non-integrated approaches of the past fail and introduce expose the business to interrelationships of risk and compliance that were not understood. A mature GRC program is one in which the organization has an integrated process, information, and technology architecture providing visibility across risk and compliance domains. An integrated approach that allows business managers and executives to leverage GRC data for risk-aware decision making and resource allocation.
Multifaceted risk environment
Risk to the business is like the hydra in mythology – organizations combat risks to only find more risks springing to threaten them. So often risk and compliance strategies are like the ‘whack-a-mole’ game at the county fair. Executives are constantly reacting to risks appearing about them and fail to become proactive in managing and understanding the interrelationships of risk across the enterprise.
The dynamic and global nature of business is particularly challenging to risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants, staffing) their risk profile grows exponentially. Organizations need to stay on top of their game by monitoring risk to their business internally (e.g., strategy, processes, internal controls) and externally (e.g., competitive, economic, political, legal, and geographic environments) to stay competitive in today’s market. What may seem as an insignificant risk in one area of the organization can have profound impact on other risks.
Organizations are increasingly aware of the critical need to link risk management and corporate performance management. In order to manage corporate performance the organizations needs to understand risk and make risk-informed business decisions.
In the area of regulatory risk, organizations face an expanding regulatory environment with rapidly increasing requirements that burden business. Organizations face expanding regulations, increased fines & sanctions, and aggressive regulators and prosecutors around the world. Reputation and brand protection is also a significant compliance and risk management issue in a global environment.
Isolated risk and compliance initiatives introduce greater risk
Managing GRC activities in disconnected silos leads the organization to the inevitability of failure. Reactive, document centric, and manual processes for GRC fail to proactively manage risk in the context of business strategy and performance and leave the organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives, and performance resulting in complexity, redundancy, and failure. The organization is not thinking how GRC processes and controls can be designed to meet a range of risk and compliance needs. An ad hoc approach to GRC results in poor visibility across the organization and its control environment because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other there is no possibility to be intelligent about risk and understanding its impact on the organization.
A non-integrated approach to GRC impacts business performance and how it is managed and executed, resulting in . . .
- Redundant and inefficient processes. Organizations often take a Band-Aid approach and manage risk in disconnected silos instead of thinking of the big picture and how resources can be leveraged and integrated for greater effectiveness, efficiency, and agility. The organization ends up with varying processes, systems, controls, and technologies to meet individual risk and compliance requirements. This results in multiple initiatives to build independent GRC systems – projects that take time and resources and result in inefficiencies.
- Poor visibility across the enterprise. A reactive approach to GRC with siloed initiatives results in an organization that never sees the big picture of risk. The organization ends up with islands of oversight that are individually assessed and monitored. The line of business is burdened by multiple and differing risk and compliance assessments asking the same questions in different formats. The result is poor visibility across the organization and its GRC environment.
- Overwhelming complexity. Varying risk and compliance frameworks, manual processes, over reliance on spreadsheets, point solutions that lack an enterprise view introduce complexity, uncertainty and confusion to the business. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently – introducing more points of failure, gaps, and unacceptable risk. Inconsistency in GRC means inconsistency that not only confuses the organization but also regulators, stakeholders, and business partners.
- Lack of business agility. A GRC strategy that is reactive and managed in siloed and manual processes with hundreds to thousands of disconnected documents and spreadsheets handicap the business. The organization cannot be agile in a demanding, dynamic, and distributed business environment. This exacerbated by documents, point technologies, and siloed processes that are not at the “enterprise” level and lack analytical capabilities. Business becomes bewildered in a maze of varying approaches, processes, and disconnected data that fail to be addressed with any sense of consistency or logic.
- Greater exposure and vulnerability. No one sees the big picture. No one is looking at GRC holistically across the enterprise. The focus is on what is immediately before each department and not seeing the complex relationship and dependencies of risk across the organization. This is exacerbated by many so called GRC solutions that focus on assessment and replacing spreadsheets, but do not deliver on analytics nor align with business applications. All of this ends up in gaps that cripple GRC and a business that is ill equipped for aligning GRC to the business.
The pain organizations have expressed
Siloed GRC processes, though effective in their own silos, are ineffective at an aggregate level, as the organization does not have a complete view of GRC in context of the business. Corporate Integrity finds that organizations that lack a collaborative, integrated, and enterprise approach to GRC have:
- Inability to gain a clear view of risks and their dependencies
- High cost of consolidating disparate data silos and documents
- Difficulty maintaining accurate data
- Failure to report and trend GRC across assessment/reporting periods
- Unreliable or irreconcilable risk assessment results because of different formats and approaches
- Redundancy of risk management and compliance efforts
- Failure to provide intelligence to support decision-making that crosses risk and compliance areas
- Inconsistency in approaches to risk/compliance activities
- Different vocabulary and processes that limit correlation, comparison and integration of information
- Lack of agility to respond timely to changing environments and situations
Please share your comments, thoughts, experiences, and reflections on managing GRC in scattered silos.