Over the past decade, the adoption of Governance, Risk and Compliance (GRC) technology has matured from a compliance-driven towards a more integrated approach. This shift towards an integrated strategy on GRC is driven by various trends.
Growing stakeholder expectations for instance is a key driver in this context. Organizations are no longer only held accountable for financial performance but stakeholders now request (real-time) assurance on almost every important business area (risk management, regulatory compliance, IT, (information) security, etc.). Societal drivers also play a role. I’m not only thinking about the increased use of internet and mobile devises but more generically an increased focus on social responsibility. For many organizations there is a need to (re)build ‘trust’, a clear demand for transparency, clarity and simplicity. And we all know that trust is hard to get and very easy to lose! And of course there are the ever increasing regulatory demands. With new standards and mandates coming into effect at a never-before pace, the need to keep up with regulatory changes and ensure ongoing compliance with them has emerged as a crucial priority for organizations in across all industries. Organizations are exposed to legal penalties, payment of damages, limitation of business opportunities, diminished reputation, lessened expansion potential and voiding of contracts.
There’s a growing consensus that breaking through the traditional silos and integrating the different GRC domains is the right way forward. A recent OCEG survey for instance revealed that 90% of organizations adopting an integrated strategy for Governance, Risk (management) & Compliance (GRC) state that integration provided benefits that met or exceeded expectations. At the same time, the majority of IT spending still happens within the organizational silo’s, resulting in on average 4.6 GRC applications used in organizations. So obviously most organizations still struggle with this topic.
So what does integrated GRC actually mean? When talking to companies investing in GRC technology to facilitate their integrated GRC strategy I find that integrated GRC is usually interpreted as integration within the typical GRC domains such as (operational) risk, IT risk, compliance, audit, business continuity etc. I believe this is part of the problem why still so many organizations struggle. The trends I described earlier ask for strategies that go beyond integration of the typical GRC domains and embed GRC within the design and execution of business processes and assure these are aligned to the organization’s strategy and objectives.
In my opinion organizations should not only align their risk, control, compliance and audit functions but also connect with strategic, tactical and operational objectives and business performance measures. Business processes are the means by which those business objectives are achieved and performance measures delivered. So a process-driven approach to GRC is needed to establish a comprehensive and enterprise wide risk and control governance model ensuring that the risk strategy is balanced and responsibilities and ownership is properly defined. It’s all about collaboration and making sure involved people can leverage consistent methods, practices and infrastructure. And last but not least, the right technology is essential to enable this transformation.