An integrated approach to governance, risk management and compliance
In a previous post, we discussed the correlation between compliance and governance, distinguishing the differences between the two. Despite these differences, a close examination reveals the ways in which robust compliance reflects good governance and how ethically minded governance supports effective compliance. What becomes obvious is how the two are both interdependent and interrelated. More and more, organizations are beginning to leverage their common attributes to change their approach to risk management.
The need for an integrated approach to Governance, Risk Management and Compliance (GRC) has become an immediate business imperative for many organizations reacting to a rapidly changing regulatory environment. Executives and boards of directors that construct governance frameworks have learned their lesson from the public's reaction to recent lapses by companies like Facebook, Equifax, Wells Fargo and Yahoo. Customers are no longer satisfied by excuses that claim inadequate policies. Instead, they are going after the policy-makers themselves, demanding personal accountability for the actions of the organization.
For those focused on risk management, the effect of a globalized business environment has meant an increase in both competition and litigation. This heightened risk environment demands a more holistic approach to risk management.
And at the level of compliance, we've seen the institution of sweeping regulatory challenges such as the EU's General Data Protection Regulation (GDPR), which is able to enforce its mandates with devastating legal weight. In addition, recent regulatory trends tend toward principle-based compliance, which focuses more on outcomes rather than a checklist of requirements. Organizations are told what goal to meet, but not how to meet it. Forging pathways to those goals, and maintaining clear documentation of progress along the way, has become one of the challenges compliance departments must face.
4 Drawbacks of a Siloed Response
Because many companies lack the proper technology required to execute an integrated GRC initiative, they continue to operate using outdated solutions that treat each risk and compliance issue as a singular, discrete problem. This practice often leads to temporary fixes that, over time, do more harm than good. Some of the unforeseen effects of this siloed response include:
- Unnecessary Expenditure. When companies continually deal with problems on an as-needed basis, they often invest time and resources in varying systems, processes, controls or technologies. These solutions may not be compatible or efficient for cross-organizational purposes, resulting in duplications and redundancies.
- Increased Complexity. When each department begins solving its compliance and risk management challenges individually, the results are often an inconsistent and increasingly complicated compliance environment. Many times, a system employed by one team might be nearly incomprehensible to another team in the same organization. Inherent in these eccentric, mismatched systems is the higher likelihood of human error, control failure or compliance gaps.
- Decreased Ability to Respond. When an organization is stretched thin trying to maintain a poorly orchestrated compliance system, it is less able to respond to oncoming challenges or new opportunities. This may mean teams fail to identify problems at the early stages, allowing them to reach the crisis point.
- Greater Risk Exposure. The siloed approach to risk management narrows the focus and attention of the organization to only the most pressing emergency. This day-to-day crisis mode allows the company no time to plan for future safeguards, leaving them open to be blindsided by unexpected changes or shifts in policy.
5 Goals of an Integrated GRC Initiative
Given the many drawbacks of uncoordinated GRC solutions, an integrated solution quickly proves attractive. In the absence of a chief GRC officer, industry experts suggest forming a cross-domain steering committee that includes the head of compliance, the general counsel, the CSO or risk officer, the head of audits and the controller's office. The committee would report to the finance head or chief administrative officer. The objective of the committee should be to improve efforts to share information and integrate compliance and risk management initiatives across the enterprise and to gain consensus on matters relating to GRC. A cohesive GRC initiative works to bring the organization closer to the following goals:
- Successful GRC solutions should allow for a bird's-eye view of the entire risk landscape paired with the ability to zoom in on problem areas, weak links or missed opportunities. Executives should be able to easily understand the status of issues, events and unresolved findings, and then be able to hold individuals responsible for working through solutions.
- A coordinated GRC initiative will replace redundant audits and assessments that require multiple, parallel searches for the same information. Instead, information-sharing allows the data gleaned from one search to inform departments across the organization.
- Organizations benefit from consistent GRC practices that operate in equal measure throughout the company. Consistent standards of methodology and reporting allow analysts to compare data and extract insights more easily. Without consistency, organizations are unable to prioritize potential threats and corresponding safeguards.
- Any organization that goes through the trouble of establishing an integrated GRC approach needs to know that it is going to last. GRC solutions should be implemented with the idea of change in mind. These initiatives need to be scalable, so as to grow with the company, and flexible, to meet the unforeseen challenges of new regulations or risks.
- In an increasingly complex business environment, gaps in security management can be hard to spot but costly to the health and success of the organization. An integrated GRC program can provide security monitoring and threat modeling, allowing businesses to mitigate the risk of security breaches and bring their systems and information in line with acceptable risk tolerances.
Entity Management Systems Provide the Key to Integrated GRC
Robust entity management systems offer essential tools for launching an integrated GRC initiative. By corralling disparate company data into a single, centralized platform, entity management technology provides organizations with a reliable, accurate source of company data in a secure, protected environment. Departments can feel confident sharing information and collaborating across the enterprise. Automated processes create seamless risk and controls monitoring and assure consistency throughout the organization. What's more, entity management systems can be built out and expanded to accommodate the needs of a rapidly expanding organization.
For more information about how entity management systems can help you achieve an integrated GRC launch, contact Diligent today.