GRC Maturity: From Disorganized to Integrated Risk and Performance - Part I
Liz Andrews 2700041WEU firstname.lastname@example.org | | Tags:  grc risk openpages | 0 Comments | 1,484 Visits
This is the first in a series of four blog posts where we will present risk and compliance speaker and thought leader, Michael Rasmussen's, GRC maturity model. For more insightful information on GRC and to exchange ideas with risk and finance colleagues, come see us in Orlando at Vision 2012.
Success in today’s dynamic business environment requires organizations to integrate, build and support business processes with an enterprise view of governance, risk management and compliance (GRC). Without an integrated view of risk and compliance, the scattered and nonintegrated approaches of the past fail and expose the business to unanticipated risk.
In a mature GRC program, the organization has an integrated process, information and technology architecture that provides visibility across risk and compliance domains. It offers an integrated approach for business managers and executives to leverage GRC data for risk-aware decision-making and resource allocation.
Inevitable Failure: Managing GRC in Silos
The multifaceted risk environment
Risk to the business is like the hydra in mythology — organizations combat risk, only to find more risk springing up to threaten them. Executives are constantly reacting to risk appearing around them and fail to actively manage and understand the interrelationship of risk across the enterprise.
The dynamic and global nature of business is particularly challenging to risk management. As organizations expand operations and business relationships (e.g., vendors, supply chain, outsourcers, service providers, consultants and staffing) their risk profile grows exponentially. Organizations need to stay on top of their game by monitoring risk to their business internally (e.g., strategy, processes and internal controls) and externally (e.g., competitive, economic, political, legal and geographic environments) to stay competitive in today’s market. What may seem an insignificant risk in one area can have profound impact on others.
Organizations are increasingly aware of the critical need to link risk management and corporate performance management. To manage corporate performance, the organizations must understand risk and make risk-informed business decisions.
In the area of regulatory risk, organizations face an expanding regulatory environment with rapidly increasing requirements that burden the business. Organizations face expanding regulations, increased fines and sanctions, and aggressive regulators and prosecutors around the world. Reputation and brand protection is also a significant compliance and risk management issue in a global environment.
Isolated risk and compliance initiatives introduce greater risk
Managing GRC activities in disconnected silos leads the organization to inevitable failure. Reactive, document-centric and manual processes for GRC fail to actively manage risk in the context of business strategy and performance, and leave the organization blind to intricate relationships of risk across the business. Siloed GRC initiatives never see the big picture and fail to put GRC in the context of business strategy, objectives and performance, resulting in complexity, redundancy and failure. The organization is not thinking about how GRC processes and controls can be designed to meet a range of risk and compliance needs. An ad hoc approach to GRC results in poor visibility across the organization and its control environment, because there is no framework or architecture for managing risk and compliance as an integrated part of business. When the organization approaches risk in scattered silos that do not collaborate with each other, there is no possibility to be intelligent about risk and understand its impact on the organization.
A nonintegrated approach to GRC impacts business performance and how it is managed and executed, resulting in:
The pain organizations have expressed
Siloed GRC processes, though effective in their own silos, are ineffective at an aggregate level, as the organization does not have a complete view of GRC in the context of the business. Corporate Integrity finds organizations that lack a collaborative, integrated and enterprise approach to GRC have:
Continue on to Part II in this series: GRC Maturity — Measuring a New Paradigm for Risk and Compliance