Business is complex. Gone are the years of simplicity in business operations. Exponential growth and change in regulations, globalization, distributed operations, changing processes, competitive velocity, business relationships, disruptive technology, legacy technology and business data encumbers organizations of all sizes. Keeping this complexity and change in sync is a significant challenge for boards, executives, as well as governance, risk management and compliance (GRC) professionals throughout the business.
The modern organization is:
- Distributed. The smallest of organizations can have distributed operations complicated by a web of global supplier, agent, business partner and client relationships. Traditional brick and mortar business is a thing of the past: physical buildings and conventional employees no longer define organizations. An interconnected mesh of relationships and interactions that span traditional business boundaries now defines the organization. Complexity grows as these interconnected relationships, processes and systems nest themselves in intricacy, such as deep supply chains.
- Dynamic. Organizations are in a constant state of flux. Distributed business operations and relationships are growing and changing at the same time the organization attempts to remain competitive with shifting business strategy, technology and processes while keeping current with changes to risk and regulatory environments around the world. Multiplicity of risk environments that organizations have to monitor span regulatory, geo-political, market, credit and operational risks across the globe. Regulatory change has more than doubled in some industries in the past five years and has grown for all industries. Managing risk, regulatory and business change on numerous fronts has buried many organizations.
- Disrupted. The explosion of data in organizations has brought on the era of “Big Data” and with that we now have “Big GRC Data.” Organizations are attempting to manage high volumes of structured and unstructured data across multiple systems, processes and relationships to see the big picture of performance, risk and compliance. The velocity, variety, and volume of data is overwhelming – disrupting the organization and slowing it down at a time when it needs to be agile and fast.
Many organizations are hindered when aspects of GRC are managed in disconnected silos that do not share information and collaborate. Mature GRC programs are those that have an information architecture that can show the relationship between objectives, risks, obligations, policies, controls and events. The problem is that organizations lack a solid information architecture to map information and therefore struggle to build knowledge out of remote data points.
A backbone of GRC is risk management. Organization objectives, performance and strategy are the primary alignment of GRC, but in the bowels of GRC processes it is risk management that provides the critical linchpin that connects GRC processes and activities together. To effectively manage risk requires that the organization have a thorough context of risk relationships to other aspects of GRC such as policies, controls and events. However, the dynamic and global nature of business is challenging for risk management. As organizations expand operations and business relationships their risk profile grows exponentially. Organizations need systems and information to monitor risk to business internally (e.g., strategy, processes and internal controls) and externally (e.g., legal, regulatory, competitive, economic, political and geographic environments) to stay competitive. What may seem an insignificant risk in one area can have profound impact on others. This requires that the organization be thoroughly risk intelligent — the ability to think holistically about risk and uncertainty, speak a common risk language and effectively use forward-looking risk concepts and tools in making better decisions, alleviating threats, capitalizing on opportunities and creating lasting value.
Isolated Risk and Policy Initiatives Introduce Greater Risk
Managing risk in today’s dynamic and distributed business environment is not an easy task. Risk management does not happen in a vacuum — it requires context and follow through. The only way an organization can manage risk appropriately is if acceptable and unacceptable risk is defined and communicated.
The official definition of GRC is:
- A capability to reliably achieve objectives [governance] while addressing uncertainty [risk management] and acting with integrity [compliance].
The reliable achievement of objectives is governance, understanding and addressing uncertainty is risk management, and acting with integrity is compliance. All three of these provide a natural flow. Governance provides strategy and objectives that deliver the context for risk management. Risk management, in turn, aims to comprehend and predict uncertainty and set boundaries (policies & controls) and expectations so the organization can reliably achieve those objectives. Compliance then ensures that the organization stays within the boundaries (policies & controls) set by risk management as it aims to reliably achieve objectives.
The Bottom Line: Risk management activities managed separately from corporate policies leads to inevitable failure. Without an integrated approach to risk management and policy management the organization has no follow-through. Risk management is useless if it cannot be tied to boundaries for acceptable and unacceptable risk that are defined and communicated in policies throughout the organization.
A nonintegrated approach to risk and policy management impacts business by not being efficient, effective or agile, resulting in:
- Inefficient alignment. Organizations take a Band-Aid approach and manage risk disconnected from policies instead of thinking of their relationship and dependence upon each other. Every policy in the environment is a risk document — there would not be a policy if there was not a risk. When policy management is disconnected from risk management the organization ends up with policies that are not clearly aligned and are managed out of context of the risk they address.
- Poor visibility across the enterprise. Separate risk management and policy initiatives result in an organization that does not see the big picture – it fails to measure policy in the course of business conduct and how it impacts risk exposure and management. The organization ends up with islands of policies that are not understood in the framework of risk.
- Overwhelming complexity. Non-integrated risk management and policy management processes increases complexity. Complexity increases inherent risk and results in processes that are not streamlined and managed consistently by introducing more points of failure, gaps and unacceptable risk. Inconsistent risk management and policy processes not only confuse the organization but also regulators, stakeholders and business partners.
- Lack of business agility. The organization is constantly changing and therefore its risk profile is changing. The inability to have a view into the relationship of risk to current policy handicaps the business. The organization is incapable of agility in a demanding, dynamic and distributed business environment. People are bewildered by a maze of varying approaches, processes and disconnected data organized without any sense of consistency or logic.
- Greater exposure to non-compliance and vulnerability. When policy is not written and enforced in the context of risk management, the focus is on what is immediately needed to get the job done. This leads to processes and individuals, who step out of line, take more risk than the organization wants, or violates policy. Most often organization’s policies are out of date to the current risk profile, non-existent or unenforced in accordance to risk.
What may seem like an insignificant risk from one perspective may very well have a different appearance when other perspectives are factored in. Organizations with siloed risk management and policy processes face inefficiency, out-of-sync controls and out of date or insufficient policies that are inadequate to manage risk. Organizations fail and are encumbered by complexity because they manage policy within specific issues, without regard for a common integrated risk and policy framework.
More on this topic can be found in the following items from GRC 20/20 . . .
- Polices: The Last Mile of Risk Management – A GRC 20/20 Strategy Perspective
- There is no Security Patch for Human Error – Webinar
- Benchmarking Your Policy Management Program: Deficient, Common & Best Practices – Webinar
- Market Landscape: Policy & Training Management Solutions – a GRC 20/20 Online Research Briefing