Even as the governance, risk and compliance (GRC) industry focuses on convergence as a way to simplify, enhance and accelerate GRC programs, it is essential that GRC stakeholders acquire the ability to manage unique workflows and adapt to relevant changes in technology, regulations and business profiles.
Considerations
Here are three key considerations organizations should keep in mind as they approach convergence this year:
Organization risk management needs to be more agile.
One of the dominant GRC themes we see is the need to manage risk with greater agility. Increased regulatory expectations and the ongoing emergence of new risks represent a new, permanent operating paradigm. For many organizations, the status quo approach has been to adapt by expending significant time, money and resources to implement individual solutions that make limited use of information from other assurance functions and do not feed into a more holistic risk picture.
A better approach – an agile approach – is flexible and nimble enough to respond to the changing environment effectively and efficiently, before evolving risks can have a major impact on customers, shareholders and employees. By aligning the organization and enabling informed executive decisions, agile risk management will enable successful anticipation and response to a rapidly-changing environment, resulting in greater operational excellence and customer satisfaction.
Fundamental to creating an agile risk management framework is implementing technology and processes that create a unified operating model for business management and risk management, with clear first-, second- and third-line of defense accountability.
Organizations will more aggressively pursue GRC convergence, but in doing so, they must not forget the basics with regard to people, processes and technology.
According to the fashion idiom “everything old is new again,” fashions go out of style, then come back with a modern twist. In 2016, organizations will need to refocus on the basics of people, processes and technology. In a world in which rapidly released whiz-bang technologies promise to solve all problems, too many companies tend to buy a new technology before they have created an adequate GRC framework that addresses these foundational elements of the business. This has to be a framework that takes into account the needs of all stakeholders, that anticipates the end state of the business processes they want to support and that can grow and adapt as their risk profile changes.
The good news is that modern GRC applications are far more extensible and configurable than they used to be, such that organizations’ integrated GRC frameworks can be supported by a number of platforms. But it is imperative that this not be taken as a license to “put the cart before the horse” and take a technology-first approach.
To implement new technologies successfully, organizations need to get back to first looking across the five other key elements of their GRC infrastructures: the organization of the business, the policies that need to be implemented, the processes that need to be supported, the methodologies to be used and the reporting requirements. Once this is done, the right technology can be implemented to ensure an agile, scalable environment that effectively supports the organization’s changing needs.
Organizations are well served to leverage existing infrastructure as part of their convergence strategy.
To respond to risk with agility, organizations need a harmonized GRC framework that allows for differences among stakeholders. They also need a foundational technology architecture that supports bringing different stakeholder groups together to share GRC process information – while allowing differences to exist and providing key capabilities that relate to a particular domain.
To achieve this, organizations – and the GRC industry in general – need to realize there is no one-size-fits-all solution. And while it’s important to converge GRC activities as much as possible when there is true synergy, most organizations will need to continue to rely on different existing systems that meet their particular needs. As a result, GRC committees tasked with coordinating multidisciplinary efforts will be well served to consider elements of their existing infrastructure that can provide an overlay of workflow and reporting that allows different systems to complement each other and enable holistic management dashboards.
For example, findings and actions management is a good example of where synergy and differences may exist across stakeholders. Whereas individual assurance functions typically have a need to log issues in their specific documentation system, these issues may be promoted to an enterprise issue management system – such as a centrally designated GRC platform or SharePoint – to provide business owners with a single place for acting upon their assigned issues.
Yes, convergence will be a key GRC theme in 2016, but it is essential for organizations to take a smart approach to convergence in order to increase agility and drive down costs while ensuring that all GRC stakeholders will have the workflow and reporting solutions they need.
Scott Wisniewski is a managing director in the Risk Technology Solutions practice at Protiviti, a global consulting firm. He is responsible for implementing technology solutions that help companies define, communicate, and monitor governance, risk and compliance activities across the enterprise. He is focused on helping clients adopt best-of-breed technology approaches that appropriately utilize off-the-shelf software while leveraging elements of their existing IT infrastructure to accelerate business process enablement. He also leads development of Protiviti’s proprietary technology, with a core focus on helping clients implement multidisciplinary GRC programs.
