With a common framework, collaboration processes, and some sharing of appropriate information, each department can both contribute to and benefit from synergies.
Synergies from Compliance
- Internal audit can incorporate known compliance breaches and critical compliance risks into their priorities when building an audit plan
- Internal control can focus on the controls linked to the highest potential compliance risks
- Compliance breaches can be used as triggers to re-assess risks or controls
Synergies from Risk Management
- Internal audit can tailor their audit plan to focus on the highest potential risks
- Internal control can take into account the criticality of the associated risk when testing or evaluating controls
- Loss events can be used as triggers for re-assessing controls
Synergies from Internal Control
- Compliance can focus their resources on policies and regulations linked to controls that have poor testing or assessment results
- Internal audit can check their findings against the control testing results
Synergies from Internal Audit
- Any high priority recommendation can turn into a trigger for other departments to re-examine and re-assess risks, controls, or policies
Each of these synergies can ultimately be classified in one of two categories.
- Either they allow you to be more efficient through prioritizing tasks: By using other department’s work to define their priorities and focus on high risk areas (risk-based approach), GRC departments are able to make better use of their resources and accomplish more with less.
- Or they allow for increased agility: Triggers and alerts based on one department’s findings can help other departments react more quickly, and make the whole corporate governance more agile and reactive. In a fast-paced business world with tighter budgets and an ever-expanding collection of regulations, rules, and risks, any gain of productivity--any increased ability to react quickly--is a true ace up your sleeve.
GRC departments can and should work together within a common framework. The benefits are too high to be ignored, especially when considering all the potential synergies for and from each individual GRC department.