There is however an important issue to address, the fact we are talking about several departments here, each with its own agenda and missions. This means that there is not necessarily a shared approach, a common front between Audit, Compliance, Risk Management and Internal Control as they assess and mitigate risks and as they report their findings to the board.
There is a natural inclination for those departments to try and keep strong information barriers and work in silos. Fear of self-incrimination, Chinese walls, and plain reluctance to share data are a strong deterrent. According to the OCEG 2014 GRC Maturity Survey (1), 80% of respondents said that their organizations were using non-integrated, standalone GRC solutions for each department with little to no sharing of information between them. This poses a problem when considering the potential benefits of having a more integrated approach.
Efficiency: When information is shared, it becomes possible to avoid duplicate work. When several teams work on essentially the same subjects, potential threats to the company that would prevent the accomplishment of objectives, work from two teams might cover the same items. The best possible example is action plans. Sharing them in a common repository will allow for removing duplicate work. An integrated approach helps your GRC program to run more smoothly.
Effectiveness: All GRC departments have the same goal and the same subject matter, the company’s risks. Doesn’t it make sense for them to capitalize on each other’s work? By checking findings and assessment results from other departments, you shed additional light on your own work and identify potential blind spots, making for an improved GRC framework.
Awareness/culture: An integrated approach between the various GRC departments will allow for the development of a shared vocabulary, shared nomenclatures and shared processes. There will be a single definition, a unified framework for risks and controls in the company, making for increased awareness, not only between GRC functions but also for business users.
Vision: Finally, as stated earlier, it all comes back to the board level. GRC departments have to report to them as they are responsible for the final oversight. At this point, it makes sense to provide an integrated, comprehensive report of all risk and control findings by all GRC departments so that the board can have a comprehensive vision of corporate governance in order to take appropriate decisions.
This last benefit is crucial; it does not make sense for the board to piece together a complete vision of their corporate governance from four or five fragmented accounts when a consolidated approach would have been available in the first place. Not only would it be more efficient, it would ensure no information is lost in consolidation. With an integrated GRC approach, the board can make more informed decisions, quicker than with a silo-based approach.
(1) Open Compliance and Ethics Group 2014 GRC Maturity Survey
