Establishing an Enterprise View of Risk & Compliance
Success in today’s dynamic business environment requires the organization to integrate, build, and support business process with an enterprise view of risk and compliance.Without a new approach to risk and compliance, the scattered and non-integrated risk and compliance approaches of the past fail and introduce greater risk and regulatory threats to the business.A sustainable enterprise view of risk and compliance is one in which accountability is effectively managed and the business has a complete system of record – providing visibility to assess across a multiplicity of risk and compliance issues. This is supported today by technology that allows for the direct integration of controls within business systems to prevent and/or detect unwanted behavior. Business now requires that governance, risk, and compliance (GRC) controls be integrated into business processes, systems, and applications.
With new risk and compliance issues constantly coming to bear, organizations need to tackle the problem at its roots.Instead of treating each risk and compliance issue as an individual problem (as they have in the past), organizations need to define a common process and technology architecture to manage risk and compliance across the range of issues faced.
The old paradigm of managing risk and compliance is a recipe for disaster. Organizations have been reactive as they used manual or point solutions for risk and compliance while being extremely fragmented in managing risk and compliance as individual efforts that do not relate to a broader risk and compliance. A reactive approach to risk and compliance leads to siloed initiatives that never see the big picture.The result is complexity, redundancy, and failure.The organization is not thinking how controls and processes can be architected to meet a range of risk and compliance needs – NOR do they gain an understanding on how risk management and compliance control impact corporate performance.An ad hoc approach to GRC results in poor visibility across the organization and its control environment, as there is no framework or architecture for managing risk and compliance as an integrated part of business.
What may seem like an insignificant risk in one part of the organization may very well have a different appearance when other risks are factored into its relationship and impact.Organizations face out-of-sync controls and corporate policies that are inadequate to manage risk and compliance. Organizations fail and are encumbered by unnecessary complexity because they manage requirements, risks, and controls within specific issues and do not look to see how a common integrated framework and architecture can bring efficiency to GRC processes. Further, executives are becoming aware of these redundant risk and compliance projects from different parts of the organizations wasting company time and resources with manual and laborious assessments that fail to leverage technology and information.
Modern business requires a new paradigm in tackling risk and compliance issues across the enterprise.No longer can organizations afford to focus on single risk and compliance issues as unrelated projects and assessment, nor can they allow software band-aids to masquerade as GRC that is not integrated into business systems.A targeted strategy addressing GRC requirements through common processes and integration into enterprise applications gets to the root of the problem. The risk and compliance complexity in today’s business requires a common strategy and architecture to effectively manage GRC. GRC is a three-legged stool:governance, risk, and compliance oversight are each individual but interrelated necessary components for effectively managing and directing an organization. In summary – good governance is built upon diligent risk and compliance management processes.
GRC solutions that operate autonomously from business processes introduce further risk in today’s complex and distributed business environment.Organizations require an enterprise view of GRC that not only brings together silos of risk and compliance, but integrates them into the enterprise process and application fabric of the business.
In today’s business environment, ignoring an integrated view of GRC results in business processes, partners, employees, and systems that behave like leaves blowing in the wind. Organizations face a complex array of risk and compliance demands impacting business. The more extended and distributed the business – the more challenging risk and compliance is to manage. An integrated GRC architecture aligns them to be efficient and manageable. Inefficiencies, redundancy, errors, and potential risks can be identified, averted, or contained.This reduces risk exposure of the organization and enhances business agility and performance.
Organizations are embracing technology to get away from document centric approaches to GRC that are based on paper, electronic documents, and spreadsheets.Organizations require a GRC architecture that can expand and contract to ever changing business initiatives over time.However, the first generation of GRC solutions have often been limited as they end up being a band-aid to replace spreadsheets and lack true integration into the enterprise application fabric and business processes. A primary consideration is the flexibility of the GRC architecture to enable the identification and resolution of business problems.
Continuously monitoring risk and compliance has become imperative but it’s only cost effective if the organization has a strategic approach to managing controls across risk and compliance initiatives. The business is in an awkward position of reacting to mandates where it should be proactively managing controls and risk.The web of stakeholders with varying risk and compliance requirements appears to introduce a complex tug-of-war with opposing priorities.GRC requirements, risks, and controls have an impact on corporate strategy and performance and need to be monitored as part of an overall corporate performance strategy.
There is significant redundancy in requirements, technologies, and processes across risk and compliance issues impacting the business that can be addressed by a common architecture and process approach to GRC.
Efficiency in risk and compliance processes is achieved through the definition of common processes and integration into the enterprise application environment that different stakeholders can utilize for their individual requirements as well as collaborate and share.A successful GRC strategy is one that has a symbiotic influence on the variety of business stakeholder roles and their common requirements.
Sustainable risk and compliance programs are built upon a common process and technology architecture designed to meet a range of requirements impacting the business.Organizations need to be intelligent about what processes and technologies they deploy – the goal is to define once and comply with many regulations, manage a range of risks, and maximize value from the convergence of technology, people and process.A sustainable approach to GRC results in an organization that is looking to the future and mitigating risk in the course of business as opposed to putting out fires by reacting to risk and control issues as they arise.
Risk and compliance management is complex with numerous individual intricacies and issues ready to frustrate the organization.Organizations that attempt to build a GRC strategy with home-grown solutions, spreadsheets — or islands of technology that do not integrate into the enterprise and processes — are left in the dark and boxed into a view of the world that they will find limiting down the road.
The
case has been laid that the current business environment requires a new paradigm of GRC technology – a platform that spans across the organization and its individual risk and compliance issues, integrates into enterprise applications, becomes an integral part of business processes, brings together a GRC strategy ready to tackle risk and compliance issues at their roots, and is critically linked to corporate performance and strategy.
While comprehensive GRC is much broader than technology – GRC cannot be accomplished without technology.Technology is the foundation of GRC processes and provides the backbone of GRC communication and collaboration.
Getting started on a sustainable GRC strategy requires that the organization get a current assessment of where they are today, what is in place and already deployed, identify redundancies in technology, and find areas that might have been addressed but where the solutions are not scalable or manageable at an enterprise level.The gap analysis is aimed to not only identity the current state but to also help the organization prioritize their roadmap going forward.
One thing is a certain – risk and compliance burdens are not going away.Government regulators continue to influence control upon organization practices through tighter regulation.Business partners are requiring stronger controls within their relationships.The globalization of business introduces significant risk with more points of vulnerability and exposure to the organization.The time is now for organizations to define and implement a sustainable GRC strategy that drives accountability, security, sustainability, consistency, efficiency, and transparency of GRC across the organization.Selecting the right technology vendor that provides the integration and enterprise control of risk and compliance is a critical step that organizations should not take lightly.
This article is an excerpt from my latest written research piece on the topic. Additionally, a corresponding webinar has been posted at OCEG. For those that want the best training on the subject of GRC Strategy and Technology Enablement – see my workshops below. Please comment on this article on the GRC Pundit Blog.