Who in medium to large sized companies are tackling the issue of Corporate Governance?
Taking the approximately 90 participants of the conference as an industry subset, there were Heads of Audit, Heads of Compliance, and Heads of Legal in attendance. Most of the people in those functions have a legal background, are actually lawyers or have moved from legal department to compliance. Interesting to see was the number of attendees who were originally doing something else before the compliance hat was placed on their heads. As well, it was surprising to see how often the compliance position is a shared/part time position. Many of the participants wore more than just the compliance hat, or had teams that were made up of shared positions.
Do Governance, Risk and Compliance functions collaborate?
Raising the topic of interdepartmental collaboration elicited responses across the spectrum. The general consensus seemed to be that most people know that the different functions should collaborate, but in practical terms, it mostly happens in the form of workshops and discussions like those at this event. Defined, programmed interactions supported by a common or shared tool seemed a bit foreign for most participants. The need for interfaces is there, but most had little to no idea what these could look like or how they would function. That Compliance and Audit are different is clear for everyone, but the differences and overlaps differ from one organization to the next. Further complicating the issues is the fact that borders between departments are often not defined, making it challenging to find the right interface.
What are the challenges for GRC departments?
Most departments are overburdened with work and lacking necessary resources, while the demand for auditing, compliance checking and corporate governance in general keeps increasing. This can also be seen in the complex build of many of the departments, balancing full, part and shared staff.
How are the collaboration challenges being addressed?
Most departments rely on MS Office tools such as Excel, interviews based on questionnaires, databases in which they store documented risks, Word documents for policies etc. The idea of a unique software system, respecting rights, profiles and separated data, but sharing the same model and structure is not easily understood yet. The value and benefits of such a tool is perceived, but the details of how it functions are unclear to a lot of practitioners.
What can be done to bring greater integration and alleviate current challenges in interdepartmental collaboration?
Closing the current gap between workload and resources in compliance departments is where software can really make a difference. A Better integration of GRC departments requires bridging audit, compliance and risk on an enterprise structure level, the day-to-day activity level and the communication level. The enterprise structure level is important to ensure that processes, business units, and risk factor catalogues can be centrally coordinated, thus minimizing the likelihood of wasting precious resources on duplicated work. On the activity level it is important that action plan management is coordinated, findings documented and that process versioning and validation are done. The communication level is key to ensuring that work done on the other two levels is not simply written in a book and put on a shelf to gather dust. Communication can be done in many forms including a portal with different views for different people, aggregating dashboards, and report generation.
At MEGA we have been listening and have developed a Regulatory Compliance solution to provide answers to the resource gap challenge and help integrate the interfaces with the other GRC departments. A more detailed description of this solution can be found here.